Two-Thirds of Lost USB Drives Carry Malware 196
itwbennett writes "Antivirus firm Sophos acquired a passel of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales. The company analyzed 50 USB sticks and found that not a single one was encrypted and 33 of them were infected with at least one type of malware."
What do you expect .. (Score:5, Funny)
.. they were lost by the 10% of commuters stupid enough to lose an USB stick.
Re:What do you expect .. (Score:5, Interesting)
I was thinking of a different self-selecting sample- the script kiddies willing to spread malware-infected USB sticks around in public to see which computers phone home.
Re:What do you expect .. (Score:5, Informative)
Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.
"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.
"The malware involved was mostly very prevalent, general-purpose, zombie stuff," Ducklin explained. The security expert believes that this method of malware distribution is not even viable because most lost USB sticks are being handed into lost property rather than being plugged into computers by users.
[TFA]
Re:What do you expect .. (Score:5, Insightful)
100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in? This is as accurate as Gracie Allen's telephone poll -- 100% of people she phoned, had a phone.
Re: (Score:3)
It shouldn't be that difficult. The statistics would be a but wobbly, giving fairly wide error bars, but the data should be available.
(Caveat : this applies to Scotland ; it may not apply to the rest of Britain, let alone Australia ; the German system doesn't seem terribly different). I've lost mobile phones in the past - in the back of taxis normally - and on one occasion out of IIRC three
Want to bet? (Score:3, Funny)
I find it hard to believe that none of the folks who turned in "lost" USB sticks took a minute to check if there was any hot pr0n on them first.
Re: (Score:3)
They considered that angle. But then
Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.
"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.
[TFA]
Trains are not logically a good place to leave sticks lying around for an attack. People treat things found on trains as suspicious, worse yet will hand them over to security. In order to attack via this angle you need to get people where they feel safer, such as in a workplace where they'll see a USB stick in the work dunny and thing "Free USB stick".
Also, never ascribe to malice what can easily be explained by stupidity. Steve the Salesman with his Blackpad and iBerry is paying zero attention to what he is doing could easily lose a USB stick out of his pocket, Given it will cost his companies IT dept $10 to replace, he just doesn't care.
Re:What do you expect .. (Score:4, Insightful)
.. they were lost by the 10% of commuters stupid enough to lose an USB stick.
Why is this modded troll? Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.? I'm not suggesting that it is impossible for a very careful person to drop something or have it fall through an unknown hole in the pocket, but at the same time, I don't think it is unreasonable to suspect that a population of those who left their USB sticks on the subway aren't necessarily perfectly representative of the population of USB stick users as a whole.
Re: (Score:3)
Because he implies when someone loses something it's because they are stupid; which is false.
Which implies all people not losing stuff are smart.
Re: (Score:3, Insightful)
People who lose stuff are not necessarily more "stupid", but they are definitely more "careless"
And yes, people who care enough to double-check all their possessions lose less than people who don't.
And the people who double-check their possessions are probably also the ones who double-check their virus scanner and/or their encryption.
It has little to do with "stupid". In fact, one of the stereotypes of a careless person is the highly intelligent "absent minded professor"
Re: (Score:2)
And yes, people who care enough to double-check all their possessions lose less than people who don't.
How exactly does one double-check, and in what way is it superior to single-checking?
What about those with zipped pockets or bags versus open pockets or bags. Do you think that might be a factor? And how exactly do you imagine that relates to "carelessness".
Do you imagine the use of zips correlates with computer literacy?
Re: (Score:3)
Re:What do you expect .. (Score:5, Insightful)
Re: (Score:3)
Re:What do you expect .. (Score:4, Interesting)
Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.?
It's not an unreasonable hypothesis to raise. It is unreasonable to assume it's true.
Re: (Score:3)
Re: (Score:3)
The incorrect part is saying "An".
You should use "an" as the article if the next word begins with a vowel sound. So we say "a European" (pronounced you-row-pean), "a universal serial bus", "a U-boat", "a yellow banana". We say "an apple", "an honourable discharge", and "an yttrium semiconductor" (pronounced ittrium),
So the rule is based on the sound and how things flow, not the actual letter of the alphabet used.
Re: (Score:3)
The a/an rule of thumb is to use "a" if the next word sounds like it starts with a consonant, and "an" if it sounds like it starts with a vowel.
To English ears, a German speaker says "ooh ess bay", while an English speaker says "you ess bee". The y sound in this case is a consonant, so a native English speaker will say "a you ess bee stick".
All bets are off when the word following a/an starts with an h, since the letter can be silent or verbalized depending on the word and where you grew up.
Mac (Score:5, Insightful)
One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.
Re: (Score:2, Interesting)
... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.
Re:Mac (Score:4, Funny)
... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.
Yes they did, and then the guy you replied to did also.
It was seven. Were you looking for digits? 7.
Re: (Score:2)
0111
Re: (Score:2)
... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.
Yes they did, and then the guy you replied to did also.
Uninfected devices.
Re: (Score:2)
No, they didn't. There were 7 infected ones. The GP said "uninfected," and he's correct (unusual for a AC, I know) - without knowing how many uninfected ones qualify as "used under MacOS," the figure has no significance.
Re:Mac (Score:5, Funny)
FTA
One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.
Which means that those USB drives had been plugged in to a Windows machine at least once.
Re:Mac (Score:4, Funny)
We have a winner!
Re: (Score:2)
However, more than likely what they meant by that statement is that they f
Re: (Score:3)
A few years back Mac USB keys were much more likely to be carriers of Windows viruses since Macs did not scan for those.
Truecrypt? (Score:3, Insightful)
Re:Truecrypt? (Score:5, Insightful)
There is an exception for the container hidden in an container, but that only offers plausible deniability as the existence of the larger container is obvious.
Re:Truecrypt? (Score:4, Insightful)
Re: (Score:2)
Because the kind of people who are that careful with their data don't lose the USB sticks on the train and then fail to come looking for them.
Re: (Score:3)
Based on... what? Routine makes fools of us all from time to time.
Re: (Score:2)
An encrypted volume would not look the same as a binary file. Binary's are far from random.
Re: (Score:2)
Are ASCII files more random? How about self-extracting archives?
Re: (Score:2)
As I posted elsewhere, but in case you don't see it - for finding truecrypt volumes hidden in files: http://16s.us/TCHunt/index.php [16s.us]
Re:Truecrypt? (Score:5, Funny)
how would they know if some sort of stenography was being implemented
You are correct. There is no known way to detect which files were transcribed in shorthand by a person taking dictation before being entered by keyboard...
Oh, wait, you meant "steganography", didn't you?
Re: (Score:2)
Re: (Score:2)
It should appear as random data (as opposed to an empty or freshly fully-formatted drive which appear zeroed or one'd depending on the case). This then means either it is encrypted, or has been securely erased. However, sometimes byte chains can be detected within the data. Use a tool like https://code.google.com/p/tcdiscover/ [google.com] to test your volume.
Although there are more advanced tools available to LEA. Plausible deniability is more important than how hidden the volume is, and you should never give up the ke
Re: (Score:2)
A factory formatted drive may appear as all 0's (that's how a new SD card appeared to me), however a drive reformatted by traditional software will still show the previous contents (except where the FAT or equivalent was overwritten)
I repeat, a full-format does not zero the drive. A full format just performs a READ-verify on the volume. You need DBAN, Eraser, Roadkil's Disk Wipe, or similar to securely wipe the drive (1 pass is sufficient).
Also, True crypt doesn't change the modified date of the container f
Re: (Score:2)
That's true in most cases (although a format in Windows 7 of an SSD will request TRIM, erasing the data, but as we're talking about USB sticks that's not completely relevant here), and in those cases it doesn't appear as random data, but quite easily visible data. And if the perp's deniability is that he just formatted it, the random data is a dead-giveaway.
I wasn't intending to suggest to OP that he could format his drive and clear his data, but rather answering his question as to how his data should look
Re: (Score:2)
Re: (Score:2)
"TrueCrypt does not make invisible containers. It makes encrypted containers..."
Another question.
I am assuming that encrypting a container--in this case a USB stick--would also disable any malware already written to the drive as that code would be unrecognizable as code by the computer it was plugged in to...until it was decrypted. On the other side of the coin, if that same encrypted stick was plugged into an infected system, I assume the malware could be written (un-encrypted) to the drive intact and func
Re: (Score:2)
You're quite right. The researchers were simply pointing out that not only a) are none of them encrypted but also, b) they've got malware on them. Two separate issues. Although yes, an encrypted drive can't be infected by malware while encrypted as there's no file system there for it to infect (unless it writes its own MBR, in which case goodbye data) but as soon as its decrypted and in use that doesn't really matter.
Re:Truecrypt? (Score:5, Funny)
Thanks.
I guess the old adage still applies...
"Careful where you stick that thing, son..."
Re: (Score:2)
An infection can write to the MBR without destroying the data; many malware programs do exactly this.
If it destroys the data, there's a large possibility that the drive will be erased completely, thus obliterating the malware. By only writing over the first section of the MBR the partition table remains intact, so nothing appears to be wrong with the drive.
Re: (Score:2)
TrueCrypt does not make invisible containers. It makes encrypted containers.
I don't know about TrueCrypt but last I heard, MS Win* can't even see multiple partitions on USB keys. It only sees the first one (I don't know if this is still true wrt more recent versions of Win*); anything past the first one is invisible.
I don't bother to encrypt my USB keys either. I've not many secrets worth hiding, and a bzipped afio/cpio archive in a second to N extN ptn should be fairly unreadable for ca. 99% of humanity. Anyone who could read them would be disappointed. Not much for me to worr
Re:Truecrypt? (Score:5, Informative)
Truecrypt isn't designed to be invisible at all. Aside from entirely encrypted drives, it's fairly obvious if someone HAS encrypted data. Truecrypt is about hiding that data via hidden paritions within outer encrypted containers, and plausible deniability.
Truecrypt volumes are generally detectable:
http://www.jadsoftware.com/?page_id=89 [jadsoftware.com]
https://code.google.com/p/tcdiscover/ [google.com]
And if the researchers discovered drives that are filled entirely with random data, then they know they're either securely formatted or encrypted, and would likely consider them the latter - if they're securely formatted the file system appears intact. If the entire drive is encrypted (or securely erased from the MBR up) then the FS is not intact, and it's a fair bet that the researchers are claiming they found all sticks with intact file systems, formatted to the same volume as the stick, with single partitions.
As are those hidden within files:
http://16s.us/TCHunt/index.php [16s.us]
But - the reason for the ramble: Never make the mistake of thinking Truecrypt is invisible. It's not. What's "invisible" should be your second hidden volume within the Truecrypt container - if you've set it up correctly. And there have previously even been attacks on that, in the event attackers are able to gain access to the external container. Work on your plausible deniability. Don't rely on TC to do the work for you or you'll end up with leaks everywhere.
http://www.schneier.com/paper-truecrypt-dfs.pdf [schneier.com]
I can't believe that many people... (Score:5, Funny)
... carry acroread.exe and/or iexplore.exe around on their USB sticks.
Weird.
Re: (Score:2)
Well, i was too lazy to RTFA, but maybe these infected sticks are "lost" on purpose? I mean this has reportedly been done before.
Re: (Score:2)
Re: (Score:2)
TFAuthors didn't think so. The logic being that these sticks would more likely end up in the dump than on somebody elses computer and that the malware on the sticks was 'generic zombie stuff' (zombies are generic these days?).
Not a particularly tight argument, but there you have it.....
Re: (Score:2)
Neither of those assumptions makes any sense. The guy's assumptions are simply naive.
You find a usb stick, you are likely to try it out to see what's on it.
The younger you are the more likely you will be to do this.
Generic malware is just as likely to be spread this way as any other. In fact this is a common method of untraceable introduction of a new virus or zombie.
Re:I can't believe that many people... (Score:4, Funny)
I'm more inclined to think that the trains in Australia are carrying viruses and simply infect the USB sticks on contact.
Re:I can't believe that many people... (Score:5, Informative)
This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.
Re: (Score:3)
At work? Count me in. It's not my computer.
Re: (Score:3)
This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.
Or, an autorun CD with "top secret" or "big huge boobies" written on it with a sharpie.
What percent "success" rate do the pen testers get seeding a parking lot with removable media?
I'd label a CD-R with the name of a current large project or some other verbiage and make it look like someone was sneaking out confidential design files. Drop it some place someone will see it who knows about that project, and you'd be almost guaranteed it will get stuck in a computer, they will have to try and see what was
Encryption (Score:5, Insightful)
The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.
Re:Encryption (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.
A common solution is to have multiple versions of encryption/decryption software (such as TrueCrypt) alongside the actual encrypted partition/blob. What you would do is plug it into the "strange" computer, install the software, and then have access your otherwise-encrypted valuable blob data. Depending on the situation, you can even have multiple encrypted blobs/partitions for different levels of trust.
Re: (Score:2)
I'll encrypt my sticks as soon as somebody makes an encryption software that works seamlessly in Windows AND Mac OS X AND Linux, and is easy to install and use. Currently, the only one that comes even close is Truecrypt, but due to its stupid vanity licence it isn't a real option on Linux, as it is not included in repos and as such isn't easy to install.
LUKS can work on Windows (with FreeOTFE) but not on OS X, so that isn't an option, either.
Re: (Score:2)
I'll (fully) encrypt my sticks as soon as somebody makes an encryption software that is preinstalled in Windows AND Linux. (AND Mac OS X would be nice too). If I can't use it on a computer I don't have admin rights on, full-disk encryption is worthless to me.
On the other hand, I store my backups encrypted with AES-256 in openssl. I keep a Windows binary of OpenSSL on the drive so I know I can decrypt them if I really have to.
Re: (Score:2)
If the computer you plug it into is compromised, your truecrypt key can be sniffed.
Re: (Score:2)
Re: (Score:2)
You can't do anything with the encrypted data unless you decrypt it. Once you decrypt it, the host computer has full access to it and your encryption keys. Decrypting files on an untrusted computer is a big no-no.
Lost? Riiigghtt... (Score:5, Interesting)
Re: (Score:2)
I can see someone "loosing" a couple
Me too. I think it was called goatse.
Conclusions (Score:5, Insightful)
(a) unlikely to encrypt the contents of their memory stick, and
(b) prone to malware infections
I'm not certain that this group is representative of the general population, however.
Re: (Score:2)
(c) Blackhats are leaving infected USB sticks on public transit on purpose to act as honey pots and spread infections.
Re: (Score:2, Insightful)
Conclusions you can draw from this study: people who ride transit...
I'm not certain that this group is representative of the general population, however.
You must be American.
Safe USB (Score:5, Funny)
I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.
Re: (Score:3)
I just pull out early.
Sample issues (Score:3)
This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.
There's another sample out there of sticks that WERE encrypted, or DID have useful data on them that were recovered by their owners. IE they were USB sticks that nobody gave a shit about. Why would we be surprised that there's malware on them and that there was no sensitive data. The other sticks were likely reclaimed.
Re:Sample issues (Score:5, Insightful)
This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.
Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.
From TFA:
he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.
Re: (Score:3)
Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.
http://en.wikipedia.org/wiki/Lost,_mislaid,_and_abandoned_property [wikipedia.org]
Concerning abandoned or lost property, generally the finder must attempt to locate the original owner (title owner), usually by way of handing the property over to the authorities so they can attempt to return it.
However, if the lost property is not claimed after a time, then it legally becomes the property of the finder, and the finder gains the right to claim ownership over the item, to everyone except the title owner and any other previou
CityRail = CityFail (Score:4, Interesting)
It is more likely that the USB's got infected when someone at CityRail plugged them in to see if there was 'anything good' stored.
Re:CityRail = CityFail (Score:4, Insightful)
Re: (Score:3)
Re: (Score:2)
Not if they were plugged into different computers. As Mister Purple said above, a security audit of the CityRail computers should have been done first. And as Icebike said above, I'm also wondering about the legal ramifications for the CityRail about selling things which includes private information.
Very nice of the Rail Corporation to auction them? (Score:3)
So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value [sophos.com] ring a few alarm bells?
Re:Very nice of the Rail Corporation to auction th (Score:5, Insightful)
My thoughts exactly.
None of these (256 meg to 8 Gig) were so valuable that their destruction would have been considered a huge waste, and the potential damage to the forgetful owner could be massive. You would think that the LEAST they could do was format them, which itself is far from fool proof. But releasing them intact just seems dumb, even if not illegal.
he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.
Re: (Score:3)
The Rail corporation has no moral right to sell information that could be damaging to the financial well being of another person
JUST BECAUSE that person accidentally dropped something.
There are laws covering lost property [wikipedia.org] in almost every jurisdiction, and most of them give the finder more rights to the property than anyone other than the original owner. Never the less, selling damaging personal information is in itself a crime (invasion of privacy) and that it was carried out by government funded organizat
Re: (Score:3)
No. IT's normal SOP. It's not there responsibility to correct everyone else's mistakes. You lose a USB stick and don't claim it? TFB.
The fact they sell it for more the retail just says idiots are buying it.
Re: (Score:2)
You lose a USB stick and don't claim it? TFB.
Because when you lose a USB stick the first place you think to look is the subway...
Re: (Score:2)
Or that people are fishing for data rather than hardware
Summary... (Score:5, Insightful)
hello, good samaritan (Score:2)
Don't worry about returning the thumbdrive, I'll just download a copy of your computer.
Two-thirds of drives were on a Windows computer (Score:2)
Because it's generally accepted more than 66% of computers run on an MS OS we can guestimate how many of them are infected.
There are two conclusion possible (Score:2)
a) either a lot of pseudo-security researchers jumped on the 'lets loose USB sticks on the train' train
b) being careless enough to loose a usb stick is correlated with being careless enough not to encrypt it and both are correlated to be careless enough not to run your virus checker very often.
How _would_ you wipe one if you got it? (Score:4, Interesting)
Okay, so say you find one. Or your relative/friend/coworker gives you one. OR, you need to loan them yours for a few minutes (happens more and more often now that computers don't come with floppies). What then? Once you get it back, how do you wipe it such that you can reuse it, but it doesn't have anything on it? I'd rather not kiss a $3 drive goodbye everytime that happens. On Linux you'd have to mount it, so (IIRC) you'd be able to just format the partition before mounting.
But how about on Windows. Mac OS? Or if I have autostart (or whatever it's called) off, am I safe? (and yes, I'm pretty sure that last one isn't right).
Re: (Score:3)
br.Failing that, snap the thing in half and chuc
Re: (Score:3)
Re: (Score:2)
Actually, leaving it on a bus is a pretty poor way to spread malware. If you are going to be dropsticking, then you want to do it in and around internet cafes and libraries - places where you expect people with computers to be.
Because we all know, people who take buses and trains don't use computers, right?
Which begs the question of why these usb sticks were found on trains in the first place.
Re: (Score:3, Funny)
Dude. Stop with the brain hurt.
Clearly, people got these because they are dumb. We know that they are dumb because they ride public transit. They ride public transit because they are poor. Dumb, poor, train people got sticks without understanding what they were for. They probably tried to eat them and left them in the train.
Because they're dumb, poor, non-computer people.
QED.
Now I have to go catch a train home.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
There is not much that works cross platform. If I were moving data between completely different platforms, I'd use something standard that would work on a file basis, rather than a filesystem or disk basis basis. The answer to this is gpg. Most platforms have a working gpg ported to them, be it Android, Solaris, AIX, Windows, Linux, BSD, or even iOS (both jailbroken and non jailbroken apps). I'd just encrypt a file using a passphrase and call it done. If it were a bunch of files, create a bit of chaff
Re: (Score:2)
1) Give it to either my boss, who has a Mac at his desk, or a coworker with a Ubuntu desktop. Failing that, boot a spare laptop off my my ubuntu boot-stick and use that.
Re: (Score:2)
Autorun / Autoplay should be permanently disabled anyways. I believe Vista/7 are a bit tighter than XP as far as Autorun, and XP is slightly better than nothing
The default action in XP is to execute autorun on CDs. This is how Sony rootkits get spread, and poses a hazard with U3 drives which have a partition that appears like a CD.
With flash drives by default XP will load the "what do you want to do?" window and the first option will be the autorun. However if you cancel this dialog, and at any point double