back to article Half of people plug in USB drives they find in the parking lot

A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs. Researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan, spread 297 USB drives around the Urbana-Champaign campus. They found that 48 …

  1. Franklin
    Pirate

    Maybe large biz needs to invest in some educational posters. I'm thinking something like the "Loose Lips Sink Ships" propaganda posters from WWII, perhaps a bold color with a cartoon sketch of a USB drive with shark teeth over a witty slogan that rhymes, posted in hallways and employee break rooms.

    I will leave the witty slogans to someone far cleverer than I.

    1. Stevie

      Educational Posters

      Unisys had some back in the 90s that were produced in a depressing three color scheme (grey, red and black on white paper) depicting Fidel Castro presenting two eager children wearing patched long combination underwear with 8" floppy discs which appeared to be infested with earthworms.

      The inspirational message read: Don't give your computer a "virus". (The wording may be off, but the quotes around "virus" are as on the poster).

      The fact that this poster looked exactly like some inspirational posters a colleague had brought back from behind the iron curtain a decade before was icing on the cake.

      1. Anonymous Coward
        Anonymous Coward

        Re: Educational Posters

        > Maybe large biz needs to invest in some educational posters.

        Have you just found a USB in the carpark?

        Are you going to plug it in to see what's on it?

        U Silly Berk

    2. Someone_Somewhere

      Re: witty slogans

      I'm not cleverer, nor is this particularly witty, but, "Used USB Drives Cost Lives."

      1. Anonymous Coward
        Anonymous Coward

        Re: witty slogans

        As slogans go it's not the best, but it doesn't make that much difference. Sadly with even a wildly successful security education campaign you are only talking about an effectiveness of 2-3% at best. So six months after were you to repeat the test you would find the number of people plugging in the drive would only have dropped to 47%.

      2. allthecoolshortnamesweretaken

        Re: witty slogans

        Not that witty, but how about

        "If you do stupid shit like that the IT guys are allowed to beat you with baseball bats!"

      3. Tigra 07
        Linux

        Re: Someone_Somewhere

        Maybe just a photo of a USB stick being wheeled into a castle by men in armour?

        "Don't invite trojans onto our systems"

    3. Mark 85

      Better than a poster. Just fill each USB port with epoxy except for the mouse and keyboard plug-ins. Then again, there's idiots who would unplug the keyboard and put the stick in there.

      Short of explosives, we can educate all we want but humans are curious and that is the problem.

      1. Ole Juul

        No need for extraordinary or malicious measures. There are safe pranks which can effectively be applied here. USB sticks filled with one of the standard stink bomb mixtures and heating up when you plug them in will work fine. When the office smells like rotten egg and faeces, the culprit will be shamed.

        1. TheOtherHobbes

          >When the office smells like rotten egg and faeces, the culprit will be shamed.

          In the boardroom, it's not obvious anyone will notice a difference.

        2. Nigel 11

          When the office smells like rotten egg and faeces, the culprit will be shamed.

          Just make sure you wear gloves when you assemble it. I suspect it will be some clueless executive's office that will get stinked out, and that he'll hire a private forensics company to try to find the culprit and fire him ( after he's tried to convince the local plod that it's bio-terrorists, and the plod laughed in his face).

          Maybe safer to chuck that perfumed USB stick into your local competitor's car-park? Or scale it down to essence of Poundland air-freshener instead of essence of polecat?

          Most entertaining of all might be a few grams of cannabis ....

        3. earl grey
          Trollface

          office smells like rotten egg and faeces

          Wait, you're saying that's not a normal office smell?

      2. P. Lee

        Better than Glue!

        Get those people who write your OS to run the USB drivers in a separate protection ring.

        USB is not normally a speed-critical system in most cases (unlike the NIC or SAS/SATA interfaces) and we know dodgy stuff get's plugged in. So why isn't the OS written properly?

        I can understand free stuff you haven't paid for, or stuff which runs on multiple architectures doing it wrong, but if you pay for your OS and it is single architecture only, you should be demanding more.

        The security software people know it is required. The OS people know it is required - they just can't be bothered and dumb is cheap for the vendor.

        1. Pookietoo

          Re: run the USB drivers in a separate protection ring

          But how do you tell a rogue USB stick that mimics an HID from a genuine HID?

    4. Warm Braw

      Maybe large technology-consuming biz needs to lean on large technology-producing biz so that the mere act of plugging a device into a computer can't result in major harm.

      It's a really sad indictment of the computer industry (and it's a problem that's affected pretty much every vendor over the years) that we have major data exfiltrations and hospitals shut down and everyone just shrugs because they imagine it's just how computers are and nothing can be done about it.

      There's a huge financial cost to businesses from what is, essentially, shoddy software and it's time to stop blaming the users for inadvertently exposing its faults.

    5. Nigel 11

      Maybe large biz needs to invest in some educational posters

      It will have to be an extraordinary large biz to not have a significant fraction of employees who will take any such poster as a recipe for what to do in order to f**k the b*****ds that own the place. Many, its a majority that will be thinking that way.

      How do we think that list of clients and potential tax-dodgers got out of Mossack Fonesca? An external hacker? Really?

  2. Stuart Halliday

    It's OK. In America they can just use a gun to protect themselves! ;)

  3. Stevie

    Bah!

    I only ever plug found thumbdrives into someone else's computer.

    Then I clean them by typing "format c:" and clicking until all the "are you sure" boxes go away.

    1. el_oscuro

      Re: Bah!

      Do you also install Linux afterwards so their computer actually works?

      1. John Tserkezis

        Re: Bah!

        "Do you also install Linux afterwards so their computer actually works?"

        No, because the users will complain their email attached-exe files don't work anymore.

        Yeap.

  4. redpawn

    A good file name

    All you need is a good file name such as "Cutest Kitten Vid" or "owner contact info.exe" and you would probably increase the folly. Data could be collected on click and install also.

    Business probably need to universally use security software to only allow authorized thumb drives to mount. Home users are just dead.

    1. Anonymous Coward
      Anonymous Coward

      Re: A good file name

      Most of the banks I've worked at over the last few years have locked down usb ports and dvd-rom drives on pc's so that they're not usable without an unlock code . Mostly a preventative measure to secure company data but also a good way to block these attempts at breeching systems.

      1. Anonymous Coward
        Anonymous Coward

        Re: A good file name

        Likewise here - my phone is locked out as you would expect....but then rather naughtily somehow presents itself as a DVD so that you can install the driver/software etc. The security does not appear to pick that up (although I suspect it would kick in if I tried to install it)

      2. Pookietoo

        Re: attempts at breeching systems

        So what happens once they're wearing trousers?

    2. Someone_Somewhere
      Devil

      Re: A good file name

      By far the most successful approach I have taken when engaging in (relatively harmless*) mischief has been to label it 'Do Not Open This'.

      People just can't help themselves, it seems. :D

      * prank executables and the like, nothing malicious.

    3. John Tserkezis

      Re: A good file name

      "All you need is a good file name such as "Cutest Kitten Vid" or "owner contact info.exe" and you would probably increase the folly."

      Agreed. We spoke about this with some friends who were arguing about how one would get an executable into someone else's computer.

      I said you don't have to. Just attach a file called "BigBoobs.exe" to an incoming email, and they're guaranteed to click on it. You don't even have to obscure it.

      1. Jimbo 6

        Re: A good file name

        Did anyone else ever receive an email attachment called "Brilliant_Ice_Hockey_Fight.wmv" (who could resist ?)

        When opened it was actually a Powerpoint file (so automatically opened in full screen, & all other buttons disappeared) which flashed, in massive letters, 'DOWNLOADING GAY PORN NOW'.

        Cue frantic scrambling to close the offending item. Lesson learned.

  5. hellwig

    Ok People

    If someone returns your flash drive, you'll want to clean that thing off first. Why would you trust a flash drive that was returned to you because someone looked at your data? What else did they do to your drive?

    Everyone else, leave that thing alone. It's like a baby bird, if you get your scent on it, the parents will reject it (that's B.S. of course, but it keeps kids from getting all sorts of bird germs on their hands, so the analogy sticks).

    Any maybe people should use flash drives for their intended purpose, transferring and transporting files, instead of what we currently use them for: "My ONLY copy of that super important document!!! Help PLEASE!"

    1. Flocke Kroes Silver badge

      I thought I had a backup ...

      ... but she refused to type it in again.

    2. Nigel 11

      Re: Ok People

      Just possibly, because your large/important file/partition was encrypted.

      OTOH if a random hostile has seen that there is encrypted data on the drive it gives them a stronger incentive to try to sneak spyware in to your computer via the returned drive. So retrieve your encrypted file/partition using a sacrificial computer. If you are truly paranoid then validity-test the retrieved data on a second sacrificial computer that is not networked.

  6. The Man Who Fell To Earth Silver badge
    Black Helicopters

    Now we know how the Iranians probably got Stuxnetted

    An operative probably just flung infected USB drives over the Nantanz fence.

  7. Anonymous Coward
    Anonymous Coward

    Ideas for USB sticks

    A usb stick with thousands of photos on it of that self same USB stick jammed in a urethra.

  8. Stu 18

    If the people making the OS did their job...

    In my view if the OS writers spent less time trying to create lock in and more time trying to make things better, then this wouldn't be an issue. We have sandboxing, virtual machines, built in AV etc, why wouldn't the OS prevent anything dangerous happening when a device is plugged in?

    Why isn't there the same thing for installing an application in windows downloaded from the net, should this program have access to these files, should it be able to use the microphone, camera etc, this is trying to access these websites / IP addresses which are registered to ...

    I think we like to believe we are getting smarter over time, but I think we are getting dumber and American tech companies are leading the dumb and dumber movement at full speed!

    1. Dan 55 Silver badge
      Thumb Up

      Re: If the people making the OS did their job...

      Yep, they are. Check out the new WebUSB API from... Google. More car parks full of USB devices than you can shake a (USB) stick at for a fraction of the effort.

    2. Adam 52 Silver badge

      Re: If the people making the OS did their job...

      I'm with this. Why should plugging in a USB stick be dangerous? A USB stick shouldn't be able to run anything. USB hardware should prompt the user to download and install a driver.

      Time and time again we see features added for no readily apparent reason introducing security flaws (html email, scripting in document formats, autorun, hiding file extensions).

      1. John Tserkezis

        Re: If the people making the OS did their job...

        "I'm with this. Why should plugging in a USB stick be dangerous?"

        Autorun. An oldie but a goodie. and it only took Microsoft a few decades to realise it was actually a monumentally bad idea.

        Meanwhile, Joe Bloggs still has it enabled because they want their CDs to do something when you plug them in. (They'll never EVER let go of that feature)

        Till they learn, that is.

      2. Flocke Kroes Silver badge

        Another reason why plugging in a USB stick is dangerous

        It looks like a flash device, but the software in it pretends to be a USB hub with a flash device and a keyboard attached. When it thinks you are not watching, the software pretends another flash device has been plugged in then types the required command to run the malware on this hidden flash device.

        Of course, the OS can prevent this from happening by not trusting any USB keyboards, and all the user has to do is type "Trust me" to tell the OS which keyboard to trust.

        1. TheDarkFreak

          Re: Another reason why plugging in a USB stick is dangerous

          And then I'd be pissed that my Yubikey no longer works. There goes simple, secure authentication.

      3. Hans 1
        Happy

        Re: If the people making the OS did their job...

        1. Get a dodgy USB stick (which cannot be used) with custom inscription, for example: Model No: ABC12345 2Tb MegaUltraDrive

        2. Then, on the internet, put a site up where you can download windows driver for model ABC12345 ...

        3. 0wned, any Windows techy would fall for that - if your lucky, a domain admin will plug the thing into his work computer .... if the website looks legit enough. I am sure the domain admins in banks do not have epoxy in their USB ports ... ;-)

        Windows, the OS for the clueless....

    3. phuzz Silver badge

      Re: If the people making the OS did their job...

      Sure, you could set things up so that an administrative password was required every time somebody plugged in a USB stick, but good luck putting up with the phone calls all day "I just need to copy this file can you come up and type in the password please?".

      Or you could have a box that pops up and asks the user to confirm that they want to run whatever is on the USB stick. People will just click the button regardless.

      You can do the sensible thing and disable autoruns, but people are still going to click on cute_cat_pics.jpg.exe, and then click 'Yes' on the "are you sure?" dialogue.

      And of course, if we lived in a world where the average person knew basic IT security measures (or even cared in the slightest about it), then a lot of us would be out of a job.

  9. Faceless Man

    They tried this as part of a penetration test on our network. They left thumb drives and CDs with "Payroll" written on them in marker in meeting rooms, and the carpark.

    Seemed kind of obvious they were a plant, plus the fact we knew it was going on, made us suspicious, although I believe some people were stupid enough to just plug them in.

    1. goldcd

      Those are the people you should fire.

      Those that took them home, ran them on sandboxed machines, negotiated salary hikes off the data contained... actually, I've got a much better idea.

      Corporations should just flood their car -parks with non-malware sticks indicating your colleagues are earning minimum wage.

      Keep the eejits quiet.

  10. Franco Bronze badge

    This is why I always want USB port lockdown, becuase as Vinnie Jones says

    https://www.youtube.com/watch?v=gQKUXDB27Dg

  11. KH

    Safe for me

    There's no auto-run on Linux. It's a safe practice to plug in random USB sticks. Windows users get what they get.

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe for me

      Not worried about USB keys that also pack a USB HID? I wouldn't be so sure of my USB stack, even on Linux.

      raving angry loony below makes a good point too: no software will protect you from a -220V inverter across the USB data lines.

    2. a_yank_lurker

      Re: Safe for me

      Whether autorun is on or off is not relevant. The relevant point is the stupidity of installing unknown USB stick in any computer.

    3. Someone_Somewhere

      Re: Safe for me

      > There's no auto-run on Linux.

      No, but there /is/ automount - and that means there's something to hook into.

      The chances are that it still won't get any further than the user account, but that makes no difference if that account has access to priviliged information and/or services.

      1. Flocke Kroes Silver badge

        Re: automount

        The automount demon requires CAP_SYS_ADMIN to mount devices. Back when I was a PFY, automountd ran as root, and did not run fschk before mounting a block device. A defective file system could crash the kernel, and a maliciously crafted one would be able to run arbitrary code as the kernel.

        My information may be really out of date as I always disable automountd when commissioning a new system. (I do not use a file manager and I find it irritating to press <ALT><F4> every time I plug in a USB storage device).

    4. Planty Bronze badge

      Re: Safe for me

      No autorun on windows either, for the last 8 years or so.

    5. Anonymous Coward
      Anonymous Coward

      Re: Safe for me

      > There's no auto-run on Linux.

      Wow. People seem to have forgotten that USB devices can carry trojans that are firmware based and/or otherwise fairly OS independent.

      As a good example, here's BadUSB from 2014:

      http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

      Please don't feel that using Linux protects you from bad USB devices. It really doesn't.

      1. Jeffrey Nonken

        Re: Safe for me

        I'll just pull my old PIII system of the shelf and plug it in there. Knoppix and no hard drive.

        Ok, worst case: hardware fried. Somebody in the thread threatened to install an inverter to fry my hardware, so maybe I found that one. It's a cute little system but I can live without it. Yeah, I've got all kinds of old crap hardware about. Kind of an elaborate joke, especially if you don't get to see the result.

    6. John Bailey

      Re: Safe for me

      "There's no auto-run on Linux. It's a safe practice to plug in random USB sticks. Windows users get what they get."

      About that..

      If it is running Windows software on an ordinary thumb drive.. Possibly.

      But what if it isn't actually a thumb drive?

      There is this chip.. An Atmel 32U4.

      Dead handy little micro controller... It has a built in USB to serial converter, and get this.. It can emulate a keyboard and mouse.

      And runs on 5 volts.. The voltage of..

      A USB port!!!

      Dead easy to program. Tiny enough to fit in a USB drive body. OS independent.

      No drivers.

      No OS requirements, other than the ability to recognise a HID device.

      Can be programmed to execute any series of key presses you like. Or mouse movements, or hot key sequences.

      Commonly available on Ebay as an Arduino Pro Micro. Bout three and a half quid delivered from China. On a tiny little board with a USB socket already wired up, and a set of breakouts along either side.

      Explain to me how exactly you stop this from executing any number of command sequences for fun or profit, the moment some prize twit plugs it in..

      I use one on my Linux desktop as a volume control, because the keyboard I use doesn't have this function. So I set it up to use some unused hotkeys, and now it does.

      Another is the remote input for my Myth box. An IR sensor added, and my HTPC is controlled from my IR remote.

      I could just as easily set it up to bring up a terminal as soon as it is plugged in, and type something destructive.

      Add a little ESP8266, and I have a wifi operated keyboard hooked up to your computer.

      So no. Linux is not actually protected from harm.

      Which is why an unattended thumb drive should be treated like a blood stained syringe wrapped in a half eaten kebab, wrapped in a used condom, sitting in a pile of fresh dog crap from a dog with serious digestive issues..

      No matter the OS.

      NEVER plug a found Thumb drive in.

      Walk past it, hand it in at the nearest police station, or bin it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Safe for me

        ... hand it in at the nearest police station, ...

        Oh, wonder if that would lead to an infected Police Station then. :D

      2. DropBear
        Linux

        Re: Safe for me

        "NEVER plug a found Thumb drive in."

        Care to elaborate on why not, seeing as how if it manages to infect the non-networked storage-less OpenWRT it will find itself plugged into, I probably have much more serious problems than a USB drive...? Oh, and if it zaps it that's a horrifying total loss of about $15 - I'll pay that much for the entertainment value...

      3. Pookietoo

        Re: hand it in at the nearest police station

        And when they find something illegal on it, who are they going to invite to assist with their enquiries?

    7. Nigel 11

      Re: Safe for me

      There's no auto-run on Linux. It's a safe practice to plug in random USB sticks.

      Depends on your enemies.

      It's not hard to build a USB stick that charges up a capacitor to hundreds of volts and then releases its charge down the USB signal wires. Exit USB port(s) if you are lucky, whole PC if you are not.

      Or the stink-bombs and pyrotechnic devices discussed above. Borderline illegal, but even so ....

      The security services and expensive private espionage services are reputed to have USB sticks that will run through a repertoire of system penetration attacks by doing things on the USB bus that no USB stick (or no legitimate USB device) would do. The simplest and most obvious is to emulate a keyboard and/or mouse...

      If a random luser can mount a random USB stick then next thing you know he will be opening files with various media players and libraries, all of which can tickle bugs which in turn might result in any data that the random Joe can access being deleted, corrupted, encrypted, or e-mailed to places that they shouldn't be. I wonder how many such bugs are currently known only to the black-hats out there? So even if your system has all the latest patches installed, are you safe from bigboobs.mp3, cute_kitten.jpg, payroll.ods, 00reward_for_safe_return_of_this_memstick.doc, ...

      Finally what about a USB stick that works perfectly normally for reading and writing, but also contains a battery, microprocessor, and (non wi-fi) wireless device? Plug in, do full device write, check, reformat, pronounce safe, re-use. Exit whatever corporate secrets you stored on it through the nearest window or wall a few hours or days or months later.

      Oh, and in respect of this last one ... how sure are you that the virgin USB sticks you ordered from Amazon or wherever haven't been doctored? Especially if your employer is in a similar line of work to Mossack Fonesca ....

      Read Alice in Wonderland again. "Eat me". "Drink me".

      Good luck.

      1. martinusher Silver badge

        Re: Safe for me

        A USB stick should just contain data. Its the auto-run feature of user friendly operating systems like Windows that causes the trouble -- it looks for executable files based on the file name and extension and blindly follows orders. I'm old school so I disable all auto-execution.....safety first.

        As for the USB stick being booby trapped, yes you could put a small bomb in it. But, seriously, the chances of that happening are very slim indeed. If you are curious about what's in it (I'm generally not) then the best thing to do would be to plug it into a beater computer, one that's old, tired, knackered and preferably not on a network, and have a look.

        (It worries me that so many people seem to have lost the thread -- they seem to know a lot about computers, everything except how they actually work.)

  12. raving angry loony

    USB fryer

    Time to get out the capacitors and fill a USB stick with them. Plug in and ZZZAAAAPPPP!!

    They won't be doing that twice. Sometimes, education really does need to be smoky.

    1. Anonymous Coward
      Anonymous Coward

      Re: USB fryer

      You need the charge pump too, capacitors on their own won't do much unless very big and completely discharged, then you might see some in-rush current.

      1. raving angry loony

        Re: USB fryer

        http://kukuruku.co/hub/diy/usb-killer?ModPagespeed=noscript

  13. EveryTime

    First, this isn't a representative sample. University students are in an economic realm that makes them more likely to use a dropped USB drive. And in a community where they are more likely to return it if they can find its owner.

    But the real point of the story is that people will plug in a USB drive. So what? Linux isn't going to auto-run that .exe file. It's fairly safe looking at a random .html file with most browsers, even if they load images from the World Wild Web. Errmm, fairly safe from a technical point of view, even if you need brain bleach when see That Which Cannot Be Unseen.

    Actually the worst one I've seen looked like a USB drive, but actually emulated a keyboard. It spewed a bunch of characters that opened a new browser window and typed in a URL. Or would have if I had been running Windows. Instead it just typed mostly garbage to the shell. If it had been a bit smarter it would have detected a Linux host (easy enough if you profile USB initialization timing) and might have typed something truly evil.

    1. a_yank_lurker

      @Everytime - True, the sample population is skewed so conclusions have to be carefully drawn about overall behavior. The high percentage that were picked up and plug in is indicative that this is real problem with users. Will it higher, lower, or the same - I do not know but this indicates that if enough, say a hundred or so, infected USB sticks are sprinkled about a parking lot carefully the odds of a few being found and plugged into a computer are about 100%. The scenario the envisioned is the infecting a network via a USB stick, which will likely only take one, and how likely is this to happen if enough are scattered about. A potential security nightmare for any organization.

      1. Nigel 11

        FIx the hardware

        There are still a few employers who know how to solve the problem. Fill all the external USB ports with epoxy glue. Except it's not easy to find PCs with PS/2 keyboard and mouse these days. Otherwise there's bound to be at least one employee who will unplug his keyboard so that he can plug in a random USB stick and investigate with his mouse, or bring in a USB hub.

        (Trusted security-vetted technical staff will be able to unlock the case and plug in a USB device to the internal USB header on the rare occasions that they need to).

  14. jason 7

    I have largely given up sorting students.

    They never do backups.

    They call up at 8pm demanding it fixing there and then.

    They don't like paying for work (that will be a wake up call for some later).

    The machines when asked if in English arrive in Russian/Chinese/Thai etc.

    The software on them is always pirate or blacklisted.

    Just not worth the bother.

    1. Rusty 1
      WTF?

      Re: I have largely given up sorting students.

      Is sorting students such a complicated process that anyone is ever upset by it? Surely, a student has one or more attributes (such as name or average altitude on a Friday morning), and students are sorted by an attribute. Now this may well involve something called an index. Sorting is easy. Students, elephants, or badgers - it's all the same.

      What were you saying? Do you think seriously think that badgers don't do backups?

      1. jason 7

        Re: I have largely given up sorting students.

        No cos badgers are too sensible to call me at 8pm!

        Good payers too.

        At the end of the day it's the old hassle to reward ratio. Students just go too far up the top of the graph.

        Student wants to pay £30 for 6 hours work.

        Domestic/small business customer wants to pay £100 for 1.5 hours.

        Not a tough decision.

    2. Anonymous Coward
      Anonymous Coward

      Re: I have largely given up sorting students.

      Doesn't that depend a bit on which sorting algorithm you use? :)

      As pre-sort routine you could put up a list of must do, such as:

      - makes a backup at least weekly

      - keeps a machine patched

      - has an up to date virus checker

      - does not run pirated software (although it's hard to check for that)

      - keeps any kind of dodgy images locked up (because that's a game you really don't want to be near to start with)

      - has not got 7 kinds of toolbars and gadgets installed (a prime attack vector after porn and malvertising)

      - has one user and a decent password.

      That will prevent (or will allow you to decline) about 80% to 90% of support requests to start with..

  15. Anonymous Coward
    Facepalm

    So, the secret to secure computing is...

    Shoot the users? Or maybe just lobotomize them? :)

    OK, now that I have solved your IT security problems, please send your checks to:

    M. Hack

    111 Main Street...

    1. RedneckMother

      Re: So, the secret to secure computing is...

      @ Marketing Hack

      "Or maybe just lobotomize them?"

      From the immortal line delivered by Marty Feldman, in "Young Frankenstein":

      TOO LATE.

    2. chivo243 Silver badge

      Re: So, the secret to secure computing is...

      @Marketing Hack

      Or maybe just lobotomize them? :)

      I thought this was a prerequisite for being a user.

      Funny, my old bank was at 111 Main Street...

  16. Anonymous Coward
    Anonymous Coward

    If the USB drives in question exploded, users would be educated not to pickup and use loose USB drives.

    If they were explosive enough, the lesson would be permanent for those individuals.

    I'm an Old Testament kind of guy: Smite them mightily - leave not one to piss against the wall.

  17. Unicornpiss
    Meh

    If I found a flash drive (and I have)

    I would plug it in to see what was on it. On my Linux PC or a Win box with autoruns disabled and no network connection. (My PCs don't generate thumbnails either) Now truly, most people would not take any precautions, but would anyone who reads this forum not examine a found flash drive to see what was on it? After taking some precautions of course.

    1. Pascal Monett Silver badge

      And that is the problem

      What exactly can you do with a USB drive you find if not plug it in to find out who lost and return if to the person ?

      The issue is not really that people are going to plug them in - of course they are. Curiosity is human nature.

      The real issue is that people can only plug them into their PC/laptop, which is generally woefully under-prepared for such a task.

      What we should have is a peripheral, a USB Sanitizer, something into which you can plug in a stick you found and be sure that nothing evil is on it.

      With that peripheral, you can then bang on about how users are 1D10Ts and should plug it into the sanitizer first. But until we have such a tool for Joe Public, the problem will persist.

  18. PunkTiger
    Linux

    I'll plug one in...

    ...as long as I take the proper measures to do so.

    1. Use an old "junk" laptop with only a working optical drive (no spinning rust or SSD connected).

    2. Boot up a live Linux distro off a CD/DVD.

    3. Plug in mysterious USB drive.

    4. Unless it's some sort of virus that directly screws around with the BIOS, or booby-trapped device that damages your USB ports, freely look at whatever is on the USB drive.

    4a. If it DOES mess about with the BIOS, or cause your laptop to go pop and release the Magic Blue Smoke, then console yourself that the laptop was just a kickaround spare that you weren't using anyway, and go get another one for a few bucks/quid at the local computer recycling center/centre.

    5. Laugh at the lame-o attempt to write a virus/trojan to a read-only filesystem (if necessary), see if there's any juicy info stored on it, then decide what to do with the drive afterwards (reformatting it, destroying it, etc.)

    There! You've just dealt with a mysterious USB device in a relatively safe manner. Go pat yourself on the back and have a cookie/biscuit.

    1. Flocke Kroes Silver badge

      Re: I'll be more careful ...

      The other magic command you are looking for is lsusb, to see if the device is pretending to be a keyboard. The challenge is to type lsusb before the usb device types something that modifies lsusb to make itself invisible.

    2. Tom 7

      Re: I'll plug one in...

      I'd add the proviso of sticking it in an attached USB hub so it cant directly fry your machine.

      1. Nigel 11

        Re: I'll plug one in...

        What line of work are you in?

        A USB stick can pass all these paranoid precautions, and yet be a means to transmit everything that is stored on it down a (possibly non-licensed) radio channel at a later date.

        You are safe if you do not have anything stored on it that you are unhappy to be made public. Otherwise, one word. Don't.

        Of course, the NSA and/or the Chinese have probably already sneaked similar spying technology into your organisation's network infrastructure.

    3. Someone_Somewhere

      Re: I'll plug one in...

      > Laugh at the lame-o attempt to write a virus/trojan to a read-only filesystem

      Get royally screwed after the next harmless USB device gets infected by opcodes that wrote themselves into the optical/usb contoller firmware this time. A good one will distribute itself across the firmware of /all/ onboard controllers to give itself room for more sophisticated routines - and lurk in your GPU registers too.

  19. Barry Rueger

    Truth in Advertising

    I'm willing to wager a Cold Refreshing Beverage that every single commenter here has plugged random, or unknown, or found USB drives into their computer.

    Whether it came from the woman at the desk next door, or was found in the parking lot, or was purchased brand new, you have NO way of knowing what's on it or what it will do.

    1. Allan George Dyer
      Pint

      Re: Truth in Advertising

      You win.

    2. chivo243 Silver badge
      Pint

      Re: Truth in Advertising

      Yes, it's scary that this vector is so wide open. Yes, I've plugged in unknown drives, have a cold frosty one on me! However, we plugged them into OS X, only a modicum of protection back in the day...

    3. John Bailey

      Re: Truth in Advertising

      "I'm willing to wager a Cold Refreshing Beverage that every single commenter here has plugged random, or unknown, or found USB drives into their computer."

      Mines a Stella

      "Whether it came from the woman at the desk next door, or was found in the parking lot,"

      It doesn't get plugged in.

      "or was purchased brand new,"

      In which case, the risk is so tiny, it really isn't worth bothering with. Because if we are going to that level of paranoia, then it is unwise to turn on any electronic device at all. Cos hackers might have altered the firmware, and the NSA may steal my belly button.

      "you have NO way of knowing what's on it or what it will do."

      True. For a given value of true.

      Found on the ground outside work. TOXIC. Hand in or destroy.

      Found in the pub.. Seriously dodgy. Hand in to the bar staff. Then it's their problem. Especially as I buy drinks only with cash.

      Belongs to a neighbour. Assume digital toilet unless known otherwise. Let them plug it into their computer.

      Handed out at a conference, never going to be looked at anyway.

      Found in a blister pack at the local computer shop, or a well established reputable online shop...

      Reasonably likely to be safe.

      One can never eliminate all risk entirely, and only forum warriors try to imply anybody can. One can however, take reasonable precautions to eliminate REASONABLE amounts of risk. It's called not doing stupid things.

      I don't solder in a hazmat suit. But I don't hold lead solder in my mouth either, and I long exhale while soldering, or have a low speed fan gently blowing the flux fumes away.

      I have soy sauce that is 10 years out of date that I still use. Part of a bunch of bottles of the good stuff I bought years ago. But I'm quite strict about things I freeze. And every bag or box has a date.

      In 51 years of life. Zero food poisoning incidents.

      1. DropBear
        FAIL

        Re: Truth in Advertising

        ""or was purchased brand new,"

        In which case, the risk is so tiny, it really isn't worth bothering with. Because if we are going to that level of paranoia, then it is unwise to turn on any electronic device at all. Cos hackers might have altered the firmware, and the NSA may steal my belly button."

        Haha nope. Personally have seen photo frame (also appears as USB mass storage) with "funny stuff" hoping to autorun already on it at purchase, brand new, out of factory. Wasn't even a proper noname brand either. Sorry but that risk isn't anywhere near "tiny" at all.

  20. ZenCoder

    Its never 100% safe ....

    http://arstechnica.com/security/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/

  21. Anonymous Coward
    Anonymous Coward

    Nevermind all those preventative measures....

    ... just do what i do and plug into someone else's computer (like a university one).

    1. Anonymous Coward
      Anonymous Coward

      Re: Nevermind all those preventative measures....

      preferably your boss'es pc, while he's out for lunch. Don't forget the fingerprints though!

    2. Someone_Somewhere

      Re: Nevermind all those preventative measures....

      > like a university one

      N.B. not a university you attend yourself.

  22. tom dial Silver badge

    Nobody ever went broke underestimating the intelligence of the American public.

    H. L. Mencken

    Probably includes university students as a special, and maybe more gullible, case.

  23. Winkypop Silver badge
    Alert

    A found USB drive?

    Think: dog turd.

    There is no "clean" end.

  24. Anonymous Coward
    Anonymous Coward

    The real issue

    is organisations that allow mounting USB drives without suitable mount options (think noexec, nosuid et al). Avoiding malware this way is super easy

    - Home folder is mounted with noexec and nosuid

    - Automount configured to do the same.

    Users can only execute system binaries and are unable to infect the system.

    1. Nigel 11

      Re: The real issue

      Sorry, wrong. You are assuming that what appears to be a USB memory stick really is a USB memory stick, and one that lacks any extra unanticipated/ unannounced capabilities at that.

  25. John H Woods

    Probabilities

    I'm a bit shocked by all this. I wonder if there's a risk/reward thing going on here --- some USB drives can be large, useful and valuable. Most USB drives, I presume, are dropped by accident. Depending on the statistics, that could still make it worth plugging one in, though I doubt I would.

    But how safe are ones you buy? Or are given by exhibition vendors? If the payload just quietly installed itself and didn't do anything / wasn't discovered till some time later would you even remember the potential infection source? Unless you had an airgapped machine you'd probably suspect compromise via the network, surely? Maybe not if you still had a guilty conscience about finding one in the car park.

    TBH, I'm inclined to look at the stats the other way round --- isn't it good news that 50% of people don't risk it? (like the 50% divorce stats --- isn't it really rather amazing that 50% of people stick with the partner they married for life?)

    1. Jason Bloomberg Silver badge

      Re: Probabilities

      I was going to say much the same thing. Nothing is guaranteed safe, nothing at all. But in the real world we have to accept a level of risk or we would stay in our beds and, even then, perhaps end up being crushed by a falling ceiling.

      It really is no-win. And some people will get burnt. The best we can do is mitigate risk and hope to remember to do that even when we get excited by a freebie found in a car park or the shiny new box which arrives from the supplier.

  26. Pseudonymous Diehard

    Shock Horror

    Students at University dont pass up on a freebie.

    Go and drop these USB drives somewhere there isnt a high concentration of poor scroungers and ill take notice.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shock Horror

      … like outside an Apple store?

      1. Pseudonymous Diehard

        Re: Shock Horror

        No thats almost the polar opposite. They are cash rich but USB port poor.

  27. Anonymous Coward
    Anonymous Coward

    Rules needed

    1. Disconnect test devices from ALL networks and disable devices for connectivity

    2. Plug into powered USB hub to protect PC from power shorts & other physical mischief

    3. Plug USB hub into Linux VM with no permissions for user to auto mount, execute etc

    4. Don't execute any executable files EVER

    5. Open files with basic text editors or other program that will not run any RICH media (aka potentially nasty active content)

    6. Format drive, including boot information, preferably taking account wear smoothing and other file fragments

    7. Re-use if brave or trash if sensible - I don't know how to be absolutely certain that there is no in-built chippery or hardware modification that would not normally be present.

    1. Tom 7

      Re: Rules needed

      But even 1..6 wont prevent a clever device wreaking havoc. I'd go as far as 5 on your list to see if I could find any details that may provide ownership of the device (or increase my porn collection) but I'd not risk re-using it. I've seen what you can do with a Pi Zero and you can get USB sticks with a lot more potential than that!

  28. Blacklight
    Stop

    Well...

    "George found it. George was curious.

    Now George is an Unemployed Silly Bugger.

    Don't be like George - hand it in, don't plug it in".

  29. Anonymous Coward
    Anonymous Coward

    of course they pick them up and use them

    'free' stuff is an opiate no amount of education or awareness training will ever, ever surmount.

  30. Anonymous Coward
    Anonymous Coward

    So the right answer is ..

    .. either bin the found USB, or give it to someone you don't like very much..

  31. Anonymous Coward
    Anonymous Coward

    plug said drives into their PC

    wait, I thought it was meant for a PC, not a tablet of mobile, in which case... success! :)

  32. allthecoolshortnamesweretaken

    2 points

    1. Why 297 USB drives? Did they plan to use 300 but lost 3 of them?

    2. Arguably the study shows that 52% of the persons who found one of the USB drives were smart enough to take precautions like using a hardened system in which they plugged the USB drives.

    1. Nigel 11

      Re: 2 points

      Maybe the three (or 103, 203) that they omitted from the study were the three that got totally crushed under wheels in the parking lots before anybody picked them up?

  33. IsJustabloke
    Megaphone

    Oh come on...

    Everyone will look on a USB drive, its the modern equivalent of finding porn in the woods

  34. To Mars in Man Bras!
    Thumb Up

    Thank God I Live in England!

    No "Parking Lots" here. So I'll assume USBs I find in "Carparks" are OK to use.

    While on the subject, any advice vis-a-vis USBs found on "Sidewalks" versus those found on "Pavements"?

    1. Anonymous Coward
      Anonymous Coward

      Re: Thank God I Live in England!

      Im not sure, all I know is Adele recommends against chasing pavements.

      Since my PC is Adele* ill play it safe and not pick a USB drive up off a pavement.

      *Its massive, made of cheap materials, is full of shit and whines when its been on too long. It also only kicks off when it breaks up.**

      **Just like Adeles albums I managed to pick it up shortly after launch for a massive discount. Once the hype wore off.***

      ***Just like the singer Id happily use it but Id never admit it to my mates.****

      ****Unless I ended up in a song.*****

      *****In which case id have been better off buying HP******

      ******In which case I would probably pick up a USB drive.

    2. Fink-Nottle

      Re: Thank God I Live in England!

      Rule, Britannia - where the streets are paved in USB drives dropped by civil servants and the average student wouldn't know what to do with a USB drive in the unlikely event they could actually be arsed to pick one up in the first place.

  35. Joe Harrison

    Does not make sense

    A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs.

    Isn't it more likely that almost half the USB sticks were picked up but the rest were eaten by magpies? Then all of the people who did pick up one of the USB sticks later plugged it into a PC (else why pick it up?)

  36. WailingBanshee

    Okay tin hat on, just how many people have actually been pwned by a "found" usb stick? I don't know of anyone and never heard of anyone having a problem - therefore from my and the people I know perspective the risk is tiny. This is important as personal perspective drives our behaviour.

    Security advice when it comes to computers is largely concentrated around all the things that "could" happen - I don't see so much information around how many devices have been infected/compromised, mainly I suspect because the reality is that most people couldn't get their PC infected if they tried.

    The real risk from an objective viewpoint is probably still tiny - so why not have a look, could be something interesting

    1. Someone_Somewhere

      Re: so why not have a look, could be something interesting

      You'd be happy playing Russian roulette with an AK-47 because the odds are pretty good you'd survive, is that what you're saying?

      You only need to get unlucky once for the odds to be academic.

  37. shovelDriver

    Maybe The Students Are . . .

    Maybe those university types are smarter than we think.

    After all, isn't it a truism that modern anti-virus and anti-malware software automatically scans devices as they are connected, and automatically scans each software package as it is run? And isn't it true that university IT departments are staffed with the most knowledgeable and capable personnel, who maintain the uni's firewalls, internal protection systems, etc?

    Why, then, would plugging in a flashdrive an issue?

    Or . . . perhaps . . .we've all been misled by A-V and O/S claims of protection?

    1. Someone_Somewhere

      Re: Or . . . perhaps . . .we've all been misled by A-V and O/S claims of protection?

      The thing about Conficker was that it didn't matter that you had autorun turned off, the fact that a call to the autorun routine had been made was enough for the payload to be launched.

      So ... no ... we haven't.

  38. Tigra 07
    Mushroom

    (Small firecracker-like explosions obviously...)

    Leave exploding USB sticks lying around next time. That'll teach them.

  39. psgcaravan

    what you SHOULD do

    lots of smart people responding, but only one had advice on the appropriate response to finding an unknown-sourced USB -- and that was to put it in somebody else's computer -- an ethically questionable move.

    So WHAT should you do? I would assume either

    a) there is somebody who legitimately is missing their USB, so what should I do to be safe?

    b) some spy person is doing something BAD, so ???

    c) ?

    Is there some existing security harness that I could buy/build and use?

    Is there a set of "safe" procedures for accessing without compromising the host system?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like