Don’t Pick Up That Thumbdrive!
IdentityStuff has a blog on USB security/insecurity with some info gleaned from Bruce Schneier’s Blog.
Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB’s internal storage, and hide them as “deleted” files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA).
OK, that sucks. But no one is going to get physical access to your computer, so no big thang, right? Um hm. Ever heard of promo USB drives? If you found a drive in the booth at a coffeeshop would you be even slightly tempted to plug it in - just to see if you could ID the owner, you lil boy scout you? Read on:
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
This worked, as critical information started trickling into the pirates’ computers through surreptitious emails sent from the lucky finders’ computers. And these were “high alert” employees. Nice.
Now go read the entire blog and find out how to maybe protect yourself.