Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Australia Data Storage Security IT

Two-Thirds of Lost USB Drives Carry Malware 196

Posted by samzenpus
from the bugs-everywhere dept.
itwbennett writes "Antivirus firm Sophos acquired a passel of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales. The company analyzed 50 USB sticks and found that not a single one was encrypted and 33 of them were infected with at least one type of malware."
This discussion has been archived. No new comments can be posted.

Two-Thirds of Lost USB Drives Carry Malware

Comments Filter:
  • by roguegramma (982660) on Wednesday December 07, 2011 @04:55PM (#38295956) Journal

    .. they were lost by the 10% of commuters stupid enough to lose an USB stick.

    • by Marxist Hacker 42 (638312) * <seebert42@gmail.com> on Wednesday December 07, 2011 @05:18PM (#38296222) Homepage Journal

      I was thinking of a different self-selecting sample- the script kiddies willing to spread malware-infected USB sticks around in public to see which computers phone home.

      • by MurukeshM (1901690) on Wednesday December 07, 2011 @05:48PM (#38296546)
        They considered that angle. But then

        Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

        "We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

        "The malware involved was mostly very prevalent, general-purpose, zombie stuff," Ducklin explained. The security expert believes that this method of malware distribution is not even viable because most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

        [TFA]

        • by jabberw0k (62554) on Wednesday December 07, 2011 @06:17PM (#38296896) Homepage Journal

          most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

          100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in? This is as accurate as Gracie Allen's telephone poll -- 100% of people she phoned, had a phone.

          • by RockDoctor (15477)

            100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in?

            It shouldn't be that difficult. The statistics would be a but wobbly, giving fairly wide error bars, but the data should be available.

            (Caveat : this applies to Scotland ; it may not apply to the rest of Britain, let alone Australia ; the German system doesn't seem terribly different). I've lost mobile phones in the past - in the back of taxis normally - and on one occasion out of IIRC three

        • by Paul1969 (1976328)

          I find it hard to believe that none of the folks who turned in "lost" USB sticks took a minute to check if there was any hot pr0n on them first.

        • by mjwx (966435)

          They considered that angle. But then

          Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

          "We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

          [TFA]

          Trains are not logically a good place to leave sticks lying around for an attack. People treat things found on trains as suspicious, worse yet will hand them over to security. In order to attack via this angle you need to get people where they feel safer, such as in a workplace where they'll see a USB stick in the work dunny and thing "Free USB stick".

          Also, never ascribe to malice what can easily be explained by stupidity. Steve the Salesman with his Blackpad and iBerry is paying zero attention to what he is doing could easily lose a USB stick out of his pocket, Given it will cost his companies IT dept $10 to replace, he just doesn't care.

    • by BitterOak (537666) on Wednesday December 07, 2011 @05:18PM (#38296236)

      .. they were lost by the 10% of commuters stupid enough to lose an USB stick.

      Why is this modded troll? Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.? I'm not suggesting that it is impossible for a very careful person to drop something or have it fall through an unknown hole in the pocket, but at the same time, I don't think it is unreasonable to suspect that a population of those who left their USB sticks on the subway aren't necessarily perfectly representative of the population of USB stick users as a whole.

      • by geekoid (135745)

        Because he implies when someone loses something it's because they are stupid; which is false.

        Which implies all people not losing stuff are smart.

        • Re: (Score:3, Insightful)

          by aix tom (902140)

          People who lose stuff are not necessarily more "stupid", but they are definitely more "careless"

          And yes, people who care enough to double-check all their possessions lose less than people who don't.

          And the people who double-check their possessions are probably also the ones who double-check their virus scanner and/or their encryption.

          It has little to do with "stupid". In fact, one of the stereotypes of a careless person is the highly intelligent "absent minded professor"

          • And yes, people who care enough to double-check all their possessions lose less than people who don't.

            How exactly does one double-check, and in what way is it superior to single-checking?

            What about those with zipped pockets or bags versus open pockets or bags. Do you think that might be a factor? And how exactly do you imagine that relates to "carelessness".

            Do you imagine the use of zips correlates with computer literacy?

        • by nine-times (778537) <nine.times@gmail.com> on Wednesday December 07, 2011 @06:00PM (#38296712) Homepage
          It seems likely that people who are careless also lose things more often.
        • But it is not unreasonable to expect that people who are less careful with physical possessions may also be less careful in other ways as well. So it would not surprise me if there is a correlation between "tends to lose USB sticks in public places" and "tends to get infected with malware".
      • by BasilBrush (643681) on Wednesday December 07, 2011 @06:02PM (#38296728)

        Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.?

        It's not an unreasonable hypothesis to raise. It is unreasonable to assume it's true.

    • by hairyfeet (841228)

      Call me paranoid but maybe some of the infected ones were lost on purpose? There are plenty of places to buy REALLY cheap USB sticks, especially if you get the smaller ones. IIRC there is a place selling the 256Mb sticks for something like 40c in bulk. If I wanted to spread malware to as many people as possible it sounds like an awful cheap way to do it, just leave sticks around the places where those that work at the place i ant to hack frequent, like say the subway they use at the time of the day they use

  • Mac (Score:5, Insightful)

    by cyachallenge (2521604) on Wednesday December 07, 2011 @04:56PM (#38295960)
    FTA

    One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      ... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

      • Re:Mac (Score:4, Funny)

        by Rockoon (1252108) on Wednesday December 07, 2011 @05:37PM (#38296422)

        ... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

        Yes they did, and then the guy you replied to did also.

        It was seven. Were you looking for digits? 7.

        • by geekoid (135745)

          0111

        • ... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

          Yes they did, and then the guy you replied to did also.

          Uninfected devices.

        • by msauve (701917)

          Yes they did

          No, they didn't. There were 7 infected ones. The GP said "uninfected," and he's correct (unusual for a AC, I know) - without knowing how many uninfected ones qualify as "used under MacOS," the figure has no significance.

    • Re:Mac (Score:5, Funny)

      by John Bresnahan (638668) on Wednesday December 07, 2011 @05:47PM (#38296538)

      FTA

      One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

      Which means that those USB drives had been plugged in to a Windows machine at least once.

      • Re:Mac (Score:4, Funny)

        by BasilBrush (643681) on Wednesday December 07, 2011 @06:15PM (#38296874)

        We have a winner!

      • Well, they don't really say what they meant by "formatting", if the sticks were formatted as HFS+ then I doubt they had been plugged into Windows computers, or at the very least got the malware from the Windows machine as right now there is no tool that can write directly to an HFS+ disk..... It's possible that they picked them up through using shared folders with a Windows VM and had their USB shared, but that seems pretty unlikely

        However, more than likely what they meant by that statement is that they f
    • by Alomex (148003)

      A few years back Mac USB keys were much more likely to be carriers of Windows viruses since Macs did not scan for those.

       

  • Truecrypt? (Score:3, Insightful)

    by shellster_dude (1261444) on Wednesday December 07, 2011 @04:56PM (#38295964)
    How would they know if it had been encrypted by something like Truecrypt which is designed to be invisible to prying eyes?
    • Re:Truecrypt? (Score:5, Insightful)

      by mr1911 (1942298) on Wednesday December 07, 2011 @05:01PM (#38296016)
      TrueCrypt does not make invisible containers. It makes encrypted containers.

      There is an exception for the container hidden in an container, but that only offers plausible deniability as the existence of the larger container is obvious.
      • Re:Truecrypt? (Score:4, Insightful)

        by shellster_dude (1261444) on Wednesday December 07, 2011 @05:20PM (#38296260)
        Still, how would they know if some sort of stenography was being implemented, or if I had a Truecrypt volume called "ProgramA.bin"?
      • I've only used TrueCrypt in two instances. First being a file container in which I could mount and store stuff. The other in which I provisioned a USB drive to store data. With regarding the last option, I was aways nagged about the flash drive not being formatted and proceeds to ask me if I wish to do so. So my wife finds the sucker and formats thinking it was up for grabs. Though I am curious. Does TruCrypt anticipate the drive being encrypted by reading a certain set of LBA blocks? Is it something in the

        • by black3d (1648913)

          It should appear as random data (as opposed to an empty or freshly fully-formatted drive which appear zeroed or one'd depending on the case). This then means either it is encrypted, or has been securely erased. However, sometimes byte chains can be detected within the data. Use a tool like https://code.google.com/p/tcdiscover/ [google.com] to test your volume.

          Although there are more advanced tools available to LEA. Plausible deniability is more important than how hidden the volume is, and you should never give up the ke

          • A factory formatted drive may appear as all 0's (that's how a new SD card appeared to me), however a drive reformatted by traditional software will still show the previous contents (except where the FAT or equivalent was overwritten)

            I repeat, a full-format does not zero the drive. A full format just performs a READ-verify on the volume. You need DBAN, Eraser, Roadkil's Disk Wipe, or similar to securely wipe the drive (1 pass is sufficient).

            Also, True crypt doesn't change the modified date of the container f

            • by black3d (1648913)

              That's true in most cases (although a format in Windows 7 of an SSD will request TRIM, erasing the data, but as we're talking about USB sticks that's not completely relevant here), and in those cases it doesn't appear as random data, but quite easily visible data. And if the perp's deniability is that he just formatted it, the random data is a dead-giveaway.

              I wasn't intending to suggest to OP that he could format his drive and clear his data, but rather answering his question as to how his data should look

        • Truecrypt containers have an encrypted header in a particular chunk of the file. Truecrypt attempts to decrypt the data at this location with the given key. If it succeeds, then we know the file is a Truecrypt container. There is also another location that potentially holds an encrypted header describing a hidden volume.
      • "TrueCrypt does not make invisible containers. It makes encrypted containers..."

        Another question.

        I am assuming that encrypting a container--in this case a USB stick--would also disable any malware already written to the drive as that code would be unrecognizable as code by the computer it was plugged in to...until it was decrypted. On the other side of the coin, if that same encrypted stick was plugged into an infected system, I assume the malware could be written (un-encrypted) to the drive intact and func

        • by black3d (1648913)

          You're quite right. The researchers were simply pointing out that not only a) are none of them encrypted but also, b) they've got malware on them. Two separate issues. Although yes, an encrypted drive can't be infected by malware while encrypted as there's no file system there for it to infect (unless it writes its own MBR, in which case goodbye data) but as soon as its decrypted and in use that doesn't really matter.

          • by Anachragnome (1008495) on Wednesday December 07, 2011 @06:13PM (#38296858)

            Thanks.

            I guess the old adage still applies...

            "Careful where you stick that thing, son..."

          • by Fjandr (66656)

            An infection can write to the MBR without destroying the data; many malware programs do exactly this.

            If it destroys the data, there's a large possibility that the drive will be erased completely, thus obliterating the malware. By only writing over the first section of the MBR the partition table remains intact, so nothing appears to be wrong with the drive.

      • by tqk (413719)

        TrueCrypt does not make invisible containers. It makes encrypted containers.

        I don't know about TrueCrypt but last I heard, MS Win* can't even see multiple partitions on USB keys. It only sees the first one (I don't know if this is still true wrt more recent versions of Win*); anything past the first one is invisible.

        I don't bother to encrypt my USB keys either. I've not many secrets worth hiding, and a bzipped afio/cpio archive in a second to N extN ptn should be fairly unreadable for ca. 99% of humanity. Anyone who could read them would be disappointed. Not much for me to worr

    • Re:Truecrypt? (Score:5, Informative)

      by black3d (1648913) on Wednesday December 07, 2011 @05:24PM (#38296308)

      Truecrypt isn't designed to be invisible at all. Aside from entirely encrypted drives, it's fairly obvious if someone HAS encrypted data. Truecrypt is about hiding that data via hidden paritions within outer encrypted containers, and plausible deniability.

      Truecrypt volumes are generally detectable:
      http://www.jadsoftware.com/?page_id=89 [jadsoftware.com]
      https://code.google.com/p/tcdiscover/ [google.com]
      And if the researchers discovered drives that are filled entirely with random data, then they know they're either securely formatted or encrypted, and would likely consider them the latter - if they're securely formatted the file system appears intact. If the entire drive is encrypted (or securely erased from the MBR up) then the FS is not intact, and it's a fair bet that the researchers are claiming they found all sticks with intact file systems, formatted to the same volume as the stick, with single partitions.

      As are those hidden within files:
      http://16s.us/TCHunt/index.php [16s.us]

      But - the reason for the ramble: Never make the mistake of thinking Truecrypt is invisible. It's not. What's "invisible" should be your second hidden volume within the Truecrypt container - if you've set it up correctly. And there have previously even been attacks on that, in the event attackers are able to gain access to the external container. Work on your plausible deniability. Don't rely on TC to do the work for you or you'll end up with leaks everywhere.
      http://www.schneier.com/paper-truecrypt-dfs.pdf [schneier.com]

  • by Fallingcow (213461) on Wednesday December 07, 2011 @04:57PM (#38295978) Homepage

    ... carry acroread.exe and/or iexplore.exe around on their USB sticks.

    Weird.

    • by kju (327)

      Well, i was too lazy to RTFA, but maybe these infected sticks are "lost" on purpose? I mean this has reportedly been done before.

      • TFA says they think this is unlikely due to the type of malware they found.
      • TFAuthors didn't think so. The logic being that these sticks would more likely end up in the dump than on somebody elses computer and that the malware on the sticks was 'generic zombie stuff' (zombies are generic these days?).

        Not a particularly tight argument, but there you have it.....

        • by icebike (68054)

          Neither of those assumptions makes any sense. The guy's assumptions are simply naive.

          You find a usb stick, you are likely to try it out to see what's on it.
          The younger you are the more likely you will be to do this.

          Generic malware is just as likely to be spread this way as any other. In fact this is a common method of untraceable introduction of a new virus or zombie.

      • by jd (1658) <imipakNO@SPAMyahoo.com> on Wednesday December 07, 2011 @05:36PM (#38296412) Homepage Journal

        I'm more inclined to think that the trains in Australia are carrying viruses and simply infect the USB sticks on contact.

  • Encryption (Score:5, Insightful)

    by Hatta (162192) on Wednesday December 07, 2011 @04:58PM (#38295982) Journal

    The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

    • Re:Encryption (Score:5, Informative)

      by Anonymous Coward on Wednesday December 07, 2011 @05:06PM (#38296106)
      That's not the only point of USB sticks - they can also be used to syncronise two trusted computers at different locations. I use one for just this purpose. However, mine is encrypted.
    • by Baloroth (2370816)
      Or to carry sensitive data often accessed and modified which you don't want on the Internet at all, or to carry the private key for data that is on the Internet. In either case, encryption would be useful. I can think of a few cases where encryption on a USB drive makes sense. Not a lot, true. And in almost any case, invisible encryption would be more useful, so they wouldn't have seen it anyways.
    • by Jahava (946858)

      The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

      A common solution is to have multiple versions of encryption/decryption software (such as TrueCrypt) alongside the actual encrypted partition/blob. What you would do is plug it into the "strange" computer, install the software, and then have access your otherwise-encrypted valuable blob data. Depending on the situation, you can even have multiple encrypted blobs/partitions for different levels of trust.

    • by plj (673710)

      I'll encrypt my sticks as soon as somebody makes an encryption software that works seamlessly in Windows AND Mac OS X AND Linux, and is easy to install and use. Currently, the only one that comes even close is Truecrypt, but due to its stupid vanity licence it isn't a real option on Linux, as it is not included in repos and as such isn't easy to install.

      LUKS can work on Windows (with FreeOTFE) but not on OS X, so that isn't an option, either.

      • by Ken_g6 (775014)

        I'll (fully) encrypt my sticks as soon as somebody makes an encryption software that is preinstalled in Windows AND Linux. (AND Mac OS X would be nice too). If I can't use it on a computer I don't have admin rights on, full-disk encryption is worthless to me.

        On the other hand, I store my backups encrypted with AES-256 in openssl. I keep a Windows binary of OpenSSL on the drive so I know I can decrypt them if I really have to.

  • Lost? Riiigghtt... (Score:5, Interesting)

    by wjcofkc (964165) on Wednesday December 07, 2011 @05:01PM (#38296014)
    I can see someone "loosing" a couple in the employee smoking area outside of a bank or large tech company. Lost, sure they were.
  • Conclusions (Score:5, Insightful)

    by Rudisaurus (675580) on Wednesday December 07, 2011 @05:01PM (#38296026)
    Conclusions you can draw from this study: people who ride transit and lose their USB memory stick while doing so are

    (a) unlikely to encrypt the contents of their memory stick, and
    (b) prone to malware infections

    I'm not certain that this group is representative of the general population, however.
    • (c) Blackhats are leaving infected USB sticks on public transit on purpose to act as honey pots and spread infections.

    • Re: (Score:2, Insightful)

      by BasilBrush (643681)

      Conclusions you can draw from this study: people who ride transit...
      I'm not certain that this group is representative of the general population, however.

      You must be American.

  • Safe USB (Score:5, Funny)

    by FuzzyHead (86261) on Wednesday December 07, 2011 @05:03PM (#38296044)

    I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.

  • by igorthefiend (831721) on Wednesday December 07, 2011 @05:08PM (#38296122)

    This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

    There's another sample out there of sticks that WERE encrypted, or DID have useful data on them that were recovered by their owners. IE they were USB sticks that nobody gave a shit about. Why would we be surprised that there's malware on them and that there was no sensitive data. The other sticks were likely reclaimed.

    • Re:Sample issues (Score:5, Insightful)

      by icebike (68054) on Wednesday December 07, 2011 @05:22PM (#38296276)

      This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

      Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

      From TFA:

      he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

      • by dissy (172727)

        Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

        http://en.wikipedia.org/wiki/Lost,_mislaid,_and_abandoned_property [wikipedia.org]

        Concerning abandoned or lost property, generally the finder must attempt to locate the original owner (title owner), usually by way of handing the property over to the authorities so they can attempt to return it.

        However, if the lost property is not claimed after a time, then it legally becomes the property of the finder, and the finder gains the right to claim ownership over the item, to everyone except the title owner and any other previou

  • CityRail = CityFail (Score:4, Interesting)

    by Anonymous Coward on Wednesday December 07, 2011 @05:10PM (#38296154)

    It is more likely that the USB's got infected when someone at CityRail plugged them in to see if there was 'anything good' stored.

  • by sirdude (578412) on Wednesday December 07, 2011 @05:11PM (#38296166)

    So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value [sophos.com] ring a few alarm bells?

    • by icebike (68054) on Wednesday December 07, 2011 @05:27PM (#38296342)

      My thoughts exactly.

      None of these (256 meg to 8 Gig) were so valuable that their destruction would have been considered a huge waste, and the potential damage to the forgetful owner could be massive. You would think that the LEAST they could do was format them, which itself is far from fool proof. But releasing them intact just seems dumb, even if not illegal.

      he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

    • by geekoid (135745)

      No. IT's normal SOP. It's not there responsibility to correct everyone else's mistakes. You lose a USB stick and don't claim it? TFB.

      The fact they sell it for more the retail just says idiots are buying it.

      • by Nidi62 (1525137)

        You lose a USB stick and don't claim it? TFB.

        Because when you lose a USB stick the first place you think to look is the subway...

      • Or that people are fishing for data rather than hardware

  • Summary... (Score:5, Insightful)

    by Chelloveck (14643) on Wednesday December 07, 2011 @05:27PM (#38296344) Homepage
    Anti-virus vendor says there's yet another way to get a virus, and you need their product even more. Film at eleven.
  • Hey, you found my virus collection! I've been looking for that.
    Don't worry about returning the thumbdrive, I'll just download a copy of your computer.
  • One clear outcome of this investigation is that 2/3 of these USB drives were inserted into Windows computers.

    Because it's generally accepted more than 66% of computers run on an MS OS we can guestimate how many of them are infected.

  • a) either a lot of pseudo-security researchers jumped on the 'lets loose USB sticks on the train' train

    b) being careless enough to loose a usb stick is correlated with being careless enough not to encrypt it and both are correlated to be careless enough not to run your virus checker very often.

  • by mbourgon (186257) on Wednesday December 07, 2011 @09:00PM (#38298538) Homepage

    Okay, so say you find one. Or your relative/friend/coworker gives you one. OR, you need to loan them yours for a few minutes (happens more and more often now that computers don't come with floppies). What then? Once you get it back, how do you wipe it such that you can reuse it, but it doesn't have anything on it? I'd rather not kiss a $3 drive goodbye everytime that happens. On Linux you'd have to mount it, so (IIRC) you'd be able to just format the partition before mounting.

    But how about on Windows. Mac OS? Or if I have autostart (or whatever it's called) off, am I safe? (and yes, I'm pretty sure that last one isn't right).

    • Personally, use a LiveCD (Dr Web) in an old laptop with no hard disk as a sheep-dip station. If I'm handed a memory stick, it gets scanned before it touches a network connected device. It's not 100% foolproof, but it eliminates a lot of risk. Once scanned, I plug it in to my workstation to see what's on it. Disabling auto-run prevents automatic launch of any payload, and media-insertion scan from $favouriteAVproduct will let you know of anything else untoward.
      br.Failing that, snap the thing in half and chuc

Any given program, when running, is obsolete.

Working...