USB sticks - gift or attack?

There's nothing nicer than attending an event and being given a nice big free USB stick, some of us may think... copy the contents on to your PC, format the drive and you've got yourself a freebie for music, videos or whatever data you're interested in.  It might even have a key ring, if you're lucky.

Unfortunately, a USB stick is not always what it seems.  After some experimentation, almost half of USB sticks that are found in public places will be inserted into a port on a computer at some point, according to a social experiment from the University of Illinois.  The intention of this blog post is to insert some suspicion into every one regarding end points and plugging in a USB device.  A USB port is an entry point into your computer and into your firm, just like the door you walk through every morning into the office, although it's much easier to carry a USB stick undetected than a human.

What could be on the USB?  Anything at all is the answer.  There are no limits.  USB drives can autorun as well.  The files inside might be disguised as legitimate content, but actually be malware with criminal intentions.  Dropping a USB on the floor is a well-hidden tactic, you'll do well to find theperson who drops a device in the street prior to it being picked up.  They're making you do all the hard work.

One issue is how can you tell what's on the device until you've got it plugged in?  Use antivirus scanning software which can look at the contents without opening directly on your PC is a good start, or even better ask your IT team.  They may insert the device into a non-networked computer and do some scanning this way, avoiding any mass replication of a virus.

It's the job of IT professionals to raise awareness to scenarios such as this.  Our biggest Information Security weakness is our colleagues understanding of technological possibilities and we need to be proactive in sharing the potential pit falls wherever possible.