Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Two-Thirds of Lost USB Drives Carry Malware

samzenpus posted more than 2 years ago | from the bugs-everywhere dept.

Australia 196

itwbennett writes "Antivirus firm Sophos acquired a passel of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales. The company analyzed 50 USB sticks and found that not a single one was encrypted and 33 of them were infected with at least one type of malware."

Sorry! There are no comments related to the filter you selected.

What do you expect .. (5, Funny)

roguegramma (982660) | more than 2 years ago | (#38295956)

.. they were lost by the 10% of commuters stupid enough to lose an USB stick.

Re:What do you expect .. (1, Offtopic)

DemonGenius (2247652) | more than 2 years ago | (#38296028)

And I just used up all my mod points too...

Re:What do you expect .. (5, Interesting)

Marxist Hacker 42 (638312) | more than 2 years ago | (#38296222)

I was thinking of a different self-selecting sample- the script kiddies willing to spread malware-infected USB sticks around in public to see which computers phone home.

Re:What do you expect .. (4, Informative)

MurukeshM (1901690) | more than 2 years ago | (#38296546)

They considered that angle. But then

Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

"The malware involved was mostly very prevalent, general-purpose, zombie stuff," Ducklin explained. The security expert believes that this method of malware distribution is not even viable because most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

[TFA]

Re:What do you expect .. (5, Insightful)

jabberw0k (62554) | more than 2 years ago | (#38296896)

most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in? This is as accurate as Gracie Allen's telephone poll -- 100% of people she phoned, had a phone.

Re:What do you expect .. (3, Insightful)

BitterOak (537666) | more than 2 years ago | (#38296236)

.. they were lost by the 10% of commuters stupid enough to lose an USB stick.

Why is this modded troll? Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.? I'm not suggesting that it is impossible for a very careful person to drop something or have it fall through an unknown hole in the pocket, but at the same time, I don't think it is unreasonable to suspect that a population of those who left their USB sticks on the subway aren't necessarily perfectly representative of the population of USB stick users as a whole.

Re:What do you expect .. (2)

geekoid (135745) | more than 2 years ago | (#38296472)

Because he implies when someone loses something it's because they are stupid; which is false.

Which implies all people not losing stuff are smart.

Re:What do you expect .. (1)

Anonymous Coward | more than 2 years ago | (#38296562)

Because he implies when someone loses something it's because they are stupid; which is false.

Which implies all people not losing stuff are smart.

Your logic is flawed.

Re:What do you expect .. (3, Insightful)

aix tom (902140) | more than 2 years ago | (#38296582)

People who lose stuff are not necessarily more "stupid", but they are definitely more "careless"

And yes, people who care enough to double-check all their possessions lose less than people who don't.

And the people who double-check their possessions are probably also the ones who double-check their virus scanner and/or their encryption.

It has little to do with "stupid". In fact, one of the stereotypes of a careless person is the highly intelligent "absent minded professor"

Re:What do you expect .. (1)

BasilBrush (643681) | more than 2 years ago | (#38296812)

And yes, people who care enough to double-check all their possessions lose less than people who don't.

How exactly does one double-check, and in what way is it superior to single-checking?

What about those with zipped pockets or bags versus open pockets or bags. Do you think that might be a factor? And how exactly do you imagine that relates to "carelessness".

Do you imagine the use of zips correlates with computer literacy?

Re:What do you expect .. (4, Insightful)

nine-times (778537) | more than 2 years ago | (#38296712)

It seems likely that people who are careless also lose things more often.

Re:What do you expect .. (3, Interesting)

BasilBrush (643681) | more than 2 years ago | (#38296728)

Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.?

It's not an unreasonable hypothesis to raise. It is unreasonable to assume it's true.

Mac (5, Insightful)

cyachallenge (2521604) | more than 2 years ago | (#38295960)

FTA

One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

Re:Mac (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38296312)

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Re:Mac (3, Funny)

Rockoon (1252108) | more than 2 years ago | (#38296422)

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Yes they did, and then the guy you replied to did also.

It was seven. Were you looking for digits? 7.

Re:Mac (1)

geekoid (135745) | more than 2 years ago | (#38296480)

0111

Re:Mac (0)

ciotog (1098035) | more than 2 years ago | (#38296504)

"uninfected" != "infected". You sure mouth off a lot for a dumbass...

Re:Mac (0)

Anonymous Coward | more than 2 years ago | (#38296558)

Yes, 7 of the 33 infected were used with Macs.

What AC is asking is how many of the 17 ***uninfected*** drives were also used with Macs.

Re:Mac (1)

MurukeshM (1901690) | more than 2 years ago | (#38296568)

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Yes they did, and then the guy you replied to did also.

Uninfected devices.

Re:Mac (1)

msauve (701917) | more than 2 years ago | (#38296594)

Yes they did

No, they didn't. There were 7 infected ones. The GP said "uninfected," and he's correct (unusual for a AC, I know) - without knowing how many uninfected ones qualify as "used under MacOS," the figure has no significance.

Re:Mac (4, Funny)

John Bresnahan (638668) | more than 2 years ago | (#38296538)

FTA

One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

Which means that those USB drives had been plugged in to a Windows machine at least once.

Re:Mac (3, Funny)

BasilBrush (643681) | more than 2 years ago | (#38296874)

We have a winner!

Truecrypt? (2, Insightful)

shellster_dude (1261444) | more than 2 years ago | (#38295964)

How would they know if it had been encrypted by something like Truecrypt which is designed to be invisible to prying eyes?

Re:Truecrypt? (4, Insightful)

mr1911 (1942298) | more than 2 years ago | (#38296016)

TrueCrypt does not make invisible containers. It makes encrypted containers.

There is an exception for the container hidden in an container, but that only offers plausible deniability as the existence of the larger container is obvious.

Re:Truecrypt? (3, Insightful)

shellster_dude (1261444) | more than 2 years ago | (#38296260)

Still, how would they know if some sort of stenography was being implemented, or if I had a Truecrypt volume called "ProgramA.bin"?

Re:Truecrypt? (1)

tverbeek (457094) | more than 2 years ago | (#38296296)

Because the kind of people who are that careful with their data don't lose the USB sticks on the train and then fail to come looking for them.

Re:Truecrypt? (2)

geekoid (135745) | more than 2 years ago | (#38296492)

Based on... what? Routine makes fools of us all from time to time.

Re:Truecrypt? (1)

amRadioHed (463061) | more than 2 years ago | (#38296324)

An encrypted volume would not look the same as a binary file. Binary's are far from random.

Re:Truecrypt? (1)

Ichijo (607641) | more than 2 years ago | (#38296516)

Binary's are far from random.

Are ASCII files more random? How about self-extracting archives?

Re:Truecrypt? (0)

Anonymous Coward | more than 2 years ago | (#38296784)

Please, are you for real ?

ascii is far from random as it features a-z and white space a lot.
All self-extracting archives start with a standard program header and the self-extracting code part (either at the beginning or the end of the file). There are only so many variants of that.

Re:Truecrypt? (0)

Anonymous Coward | more than 2 years ago | (#38296374)

Still, how would they know if some sort of stenography was being implemented, or if I had a Truecrypt volume called "ProgramA.bin"?

Steganography?

Re:Truecrypt? (1)

black3d (1648913) | more than 2 years ago | (#38296394)

As I posted elsewhere, but in case you don't see it - for finding truecrypt volumes hidden in files: http://16s.us/TCHunt/index.php [16s.us]

Re:Truecrypt? (1)

DigiShaman (671371) | more than 2 years ago | (#38296316)

I've only used TrueCrypt in two instances. First being a file container in which I could mount and store stuff. The other in which I provisioned a USB drive to store data. With regarding the last option, I was aways nagged about the flash drive not being formatted and proceeds to ask me if I wish to do so. So my wife finds the sucker and formats thinking it was up for grabs. Though I am curious. Does TruCrypt anticipate the drive being encrypted by reading a certain set of LBA blocks? Is it something in the MBR? Just how obvious is the hidden container when viewing the drive raw with a hex editor?

Re:Truecrypt? (1)

black3d (1648913) | more than 2 years ago | (#38296570)

It should appear as random data (as opposed to an empty or freshly fully-formatted drive which appear zeroed or one'd depending on the case). This then means either it is encrypted, or has been securely erased. However, sometimes byte chains can be detected within the data. Use a tool like https://code.google.com/p/tcdiscover/ [google.com] to test your volume.

Although there are more advanced tools available to LEA. Plausible deniability is more important than how hidden the volume is, and you should never give up the key to your external volume until forced to do so or in dire circumstances. It should be currently almost impossible (in most cases) to detect the second hidden volume within the outer volume.

So, work on that outer volume. Frequently write files to it - generally, as often as you're writing files to your hidden volume. So many people leave an empty outer volume and then expect plausible deniability to work when the volume was created 2 years ago and last modified 3 days ago. While it's "possible" that they "just erased all their data a few days ago", it's not plausible, hence the turn of phrase.

Re:Truecrypt? (1)

Vegemeister (1259976) | more than 2 years ago | (#38296598)

Truecrypt containers have an encrypted header in a particular chunk of the file. Truecrypt attempts to decrypt the data at this location with the given key. If it succeeds, then we know the file is a Truecrypt container. There is also another location that potentially holds an encrypted header describing a hidden volume.

Re:Truecrypt? (1)

Anachragnome (1008495) | more than 2 years ago | (#38296482)

"TrueCrypt does not make invisible containers. It makes encrypted containers..."

Another question.

I am assuming that encrypting a container--in this case a USB stick--would also disable any malware already written to the drive as that code would be unrecognizable as code by the computer it was plugged in to...until it was decrypted. On the other side of the coin, if that same encrypted stick was plugged into an infected system, I assume the malware could be written (un-encrypted) to the drive intact and function when that stick was later plugged into another system. In essence, the malware can be installed on the stick while the drive is mounted via Truecrypt, as well as when it is plugged in but not mounted via Truecrypt. This would leave the user vulnerable twice.

Is this correct? Am I missing something, or is the encryption and malware two separate issues, because I don't see how encryption helps protect against malware once the drive or folder is decrypted.

Re:Truecrypt? (1)

black3d (1648913) | more than 2 years ago | (#38296606)

You're quite right. The researchers were simply pointing out that not only a) are none of them encrypted but also, b) they've got malware on them. Two separate issues. Although yes, an encrypted drive can't be infected by malware while encrypted as there's no file system there for it to infect (unless it writes its own MBR, in which case goodbye data) but as soon as its decrypted and in use that doesn't really matter.

Re:Truecrypt? (4, Funny)

Anachragnome (1008495) | more than 2 years ago | (#38296858)

Thanks.

I guess the old adage still applies...

"Careful where you stick that thing, son..."

Re:Truecrypt? (1)

tqk (413719) | more than 2 years ago | (#38296700)

TrueCrypt does not make invisible containers. It makes encrypted containers.

I don't know about TrueCrypt but last I heard, MS Win* can't even see multiple partitions on USB keys. It only sees the first one (I don't know if this is still true wrt more recent versions of Win*); anything past the first one is invisible.

I don't bother to encrypt my USB keys either. I've not many secrets worth hiding, and a bzipped afio/cpio archive in a second to N extN ptn should be fairly unreadable for ca. 99% of humanity. Anyone who could read them would be disappointed. Not much for me to worry about there.

Medical doctors or bank employees might have more reason to consider encryption.

Re:Truecrypt? (5, Informative)

black3d (1648913) | more than 2 years ago | (#38296308)

Truecrypt isn't designed to be invisible at all. Aside from entirely encrypted drives, it's fairly obvious if someone HAS encrypted data. Truecrypt is about hiding that data via hidden paritions within outer encrypted containers, and plausible deniability.

Truecrypt volumes are generally detectable:
http://www.jadsoftware.com/?page_id=89 [jadsoftware.com]
https://code.google.com/p/tcdiscover/ [google.com]
And if the researchers discovered drives that are filled entirely with random data, then they know they're either securely formatted or encrypted, and would likely consider them the latter - if they're securely formatted the file system appears intact. If the entire drive is encrypted (or securely erased from the MBR up) then the FS is not intact, and it's a fair bet that the researchers are claiming they found all sticks with intact file systems, formatted to the same volume as the stick, with single partitions.

As are those hidden within files:
http://16s.us/TCHunt/index.php [16s.us]

But - the reason for the ramble: Never make the mistake of thinking Truecrypt is invisible. It's not. What's "invisible" should be your second hidden volume within the Truecrypt container - if you've set it up correctly. And there have previously even been attacks on that, in the event attackers are able to gain access to the external container. Work on your plausible deniability. Don't rely on TC to do the work for you or you'll end up with leaks everywhere.
http://www.schneier.com/paper-truecrypt-dfs.pdf [schneier.com]

I can't believe that many people... (4, Funny)

Fallingcow (213461) | more than 2 years ago | (#38295978)

... carry acroread.exe and/or iexplore.exe around on their USB sticks.

Weird.

Re:I can't believe that many people... (1)

kju (327) | more than 2 years ago | (#38295998)

Well, i was too lazy to RTFA, but maybe these infected sticks are "lost" on purpose? I mean this has reportedly been done before.

Re:I can't believe that many people... (1)

The MAZZTer (911996) | more than 2 years ago | (#38296064)

TFA says they think this is unlikely due to the type of malware they found.

Re:I can't believe that many people... (1)

ColdWetDog (752185) | more than 2 years ago | (#38296082)

TFAuthors didn't think so. The logic being that these sticks would more likely end up in the dump than on somebody elses computer and that the malware on the sticks was 'generic zombie stuff' (zombies are generic these days?).

Not a particularly tight argument, but there you have it.....

Re:I can't believe that many people... (1)

cyachallenge (2521604) | more than 2 years ago | (#38296128)

That's actually pretty interesting; what if some of these sticks were left intentionally. First, I wouldn't expect a USB stick to have malware. Second, I wouldn't feel bad about using a USB stick that somebody lost (they're mostly cheap and replacable). Arguably, that could be a good attack vector even for tech savy people.

Re:I can't believe that many people... (4, Informative)

1729 (581437) | more than 2 years ago | (#38296258)

This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.

Re:I can't believe that many people... (2)

StikyPad (445176) | more than 2 years ago | (#38296954)

At work? Count me in. It's not my computer.

Re:I can't believe that many people... (3, Funny)

jd (1658) | more than 2 years ago | (#38296412)

I'm more inclined to think that the trains in Australia are carrying viruses and simply infect the USB sticks on contact.

Re:I can't believe that many people... (0)

Anonymous Coward | more than 2 years ago | (#38296802)

Internet explorer has not been insecure in quite a few years. Unless your a corp with an ancient unpatched version like IE 6 or IE 7, the last 2 versions of IE (8 & 9) are secure if you run Windows Vista or higher. IE 9 has the best security ratings and less holes than any other browser.

Encryption (5, Insightful)

Hatta (162192) | more than 2 years ago | (#38295982)

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

Re:Encryption (5, Informative)

Anonymous Coward | more than 2 years ago | (#38296106)

That's not the only point of USB sticks - they can also be used to syncronise two trusted computers at different locations. I use one for just this purpose. However, mine is encrypted.

Re:Encryption (1)

The Mister Purple (2525152) | more than 2 years ago | (#38296250)

Excellent point and practice.

Re:Encryption (1)

Baloroth (2370816) | more than 2 years ago | (#38296140)

Or to carry sensitive data often accessed and modified which you don't want on the Internet at all, or to carry the private key for data that is on the Internet. In either case, encryption would be useful. I can think of a few cases where encryption on a USB drive makes sense. Not a lot, true. And in almost any case, invisible encryption would be more useful, so they wouldn't have seen it anyways.

Re:Encryption (1)

Spodi (2259976) | more than 2 years ago | (#38296142)

They are also useful for cheap offline storage. Once or twice a year, I export my KeePass (password manager) database as XML on a thumb drive, put that in an ecrypted archive, then store the USB in a safe somewhere. That way I know I can always get to it even if something ugly goes down, like my main KeePass db gets corrupted and I don't notice until after I do my regular offline backups. Can never to be too cautious when dealing with thousands of distinct passwords.

Re:Encryption (0)

Anonymous Coward | more than 2 years ago | (#38296768)

I do similar, but for critical data like KeePass files, I prefer adding an additional layer of security. IronKeys are more expensive, but what they give is the fact that an intruder has only 10 guesses before the key fries itself. I use this in combination with a proven encryption utility (TrueCrypt) just in case. Even if there was a weakness in IronKeys, it won't mean that I have less security.

Disclaimer, I don't work for Ironkey.

Re:Encryption (1)

Jahava (946858) | more than 2 years ago | (#38296156)

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

A common solution is to have multiple versions of encryption/decryption software (such as TrueCrypt) alongside the actual encrypted partition/blob. What you would do is plug it into the "strange" computer, install the software, and then have access your otherwise-encrypted valuable blob data. Depending on the situation, you can even have multiple encrypted blobs/partitions for different levels of trust.

Re:Encryption (1)

devitto (230479) | more than 2 years ago | (#38296234)

errrrrrrrr, that's a pretty unusal use - only data that's 'public' on a USB stick.

Truecrypt is easy soloution, and is small enough to fit on the stick - problem solved.

Re:Encryption (1)

Hatta (162192) | more than 2 years ago | (#38296396)

If the computer you plug it into is compromised, your truecrypt key can be sniffed.

Re:Encryption (1)

Vegemeister (1259976) | more than 2 years ago | (#38296644)

The last time I checked, Truecrypt used a kernel mode driver, and thus required admin privileges to run on Windows.

Re:Encryption (1)

plj (673710) | more than 2 years ago | (#38296662)

I'll encrypt my sticks as soon as somebody makes an encryption software that works seamlessly in Windows AND Mac OS X AND Linux, and is easy to install and use. Currently, the only one that comes even close is Truecrypt, but due to its stupid vanity licence it isn't a real option on Linux, as it is not included in repos and as such isn't easy to install.

LUKS can work on Windows (with FreeOTFE) but not on OS X, so that isn't an option, either.

Re:Encryption (1)

godel_56 (1287256) | more than 2 years ago | (#38296736)

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

I think Rohos encrypted containers are fully portable (with a copy of Rohos on the key), unlike TrueCrypt which requires you to have administrator access to the computer. Also there's nothing to stop you encrypting individual files on a USB key, such as with AxCrypt or the encryption options of 7Zip or Zip Genius.

Re:Encryption (1)

Hatta (162192) | more than 2 years ago | (#38296796)

You can't do anything with the encrypted data unless you decrypt it. Once you decrypt it, the host computer has full access to it and your encryption keys. Decrypting files on an untrusted computer is a big no-no.

Maybe they weren't lost? (0)

Anonymous Coward | more than 2 years ago | (#38295984)

Perhaps this is the latest malware distribution method.

On purpose (0)

Anonymous Coward | more than 2 years ago | (#38295992)

It's a good way to spread your malware: "lose" a USB stick and hope the person that finds it puts it in his work machine (if you make sure you lose it during the morning commute).

Re:On purpose (2)

camperdave (969942) | more than 2 years ago | (#38296376)

Actually, leaving it on a bus is a pretty poor way to spread malware. If you are going to be dropsticking, then you want to do it in and around internet cafes and libraries - places where you expect people with computers to be.

Lost? Riiigghtt... (4, Interesting)

wjcofkc (964165) | more than 2 years ago | (#38296014)

I can see someone "loosing" a couple in the employee smoking area outside of a bank or large tech company. Lost, sure they were.

Re:Lost? Riiigghtt... (1)

Anonymous Coward | more than 2 years ago | (#38296304)

I remember this attack in the past. At the time, it was the early 2000s and "Free MP3 CDs" were used. The autorun.inf ran some software that had a keylogger, and it also did some fairly fancy PPP over SSH tunneling.

It managed to completely compromise the business, and because their bread and butter was their software build tree and code, a competitor started overseas, got in touch with every single one of the business's clients to offer the same exact software for 1/4 the price, and the original business was shuttered within six months because they lost not just customers, but a needed VC funding round.

It used to be I'd just stuff a random USB flash drive into a Linux box, dd if=/dev/zero of=/dev/sdwhatever, but newer Trojanized ones actually register as a keyboard/mouse and start trying Windows commands once inserted.

Conclusions (4, Insightful)

Rudisaurus (675580) | more than 2 years ago | (#38296026)

Conclusions you can draw from this study: people who ride transit and lose their USB memory stick while doing so are

(a) unlikely to encrypt the contents of their memory stick, and
(b) prone to malware infections

I'm not certain that this group is representative of the general population, however.

Re:Conclusions (1)

MozeeToby (1163751) | more than 2 years ago | (#38296136)

(c) Blackhats are leaving infected USB sticks on public transit on purpose to act as honey pots and spread infections.

Re:Conclusions (1)

Anonymous Coward | more than 2 years ago | (#38296204)

Alternatively, one could conclude that infected memory sticks are more prone to being left on trains.

Safe USB (5, Funny)

FuzzyHead (86261) | more than 2 years ago | (#38296044)

I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.

Re:Safe USB (1)

Anonymous Coward | more than 2 years ago | (#38296576)

That's a hardware solution of dubious value. :-)

I prefer to make a fake, read-only AUTORUN.INF directory with a read-only text file in it (usually I say what it's there for and call it "readme.txt"). Until malware gets smart enough to look at what's on the usb drive first before blindly writing it's own bogus AUTORUN.INF file, this seems to immunize them pretty effectively (the write will fail, both because the directory is read-only and because it is a non-empty directory rather than a file). Between that and disabling autorun on every machine I use, even if a worm gets on there: A) the payload doesn't get run automatically by the AUTORUN.INF file because the file is broken, and B) it doesn't get run when it gets plugged into my machines. Usually I just see a lonely payload file on there, often hidden in the Recycler, and delete it.

Sample issues (2)

igorthefiend (831721) | more than 2 years ago | (#38296122)

This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

There's another sample out there of sticks that WERE encrypted, or DID have useful data on them that were recovered by their owners. IE they were USB sticks that nobody gave a shit about. Why would we be surprised that there's malware on them and that there was no sensitive data. The other sticks were likely reclaimed.

Re:Sample issues (4, Insightful)

icebike (68054) | more than 2 years ago | (#38296276)

This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

From TFA:

he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

CityRail = CityFail (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38296154)

It is more likely that the USB's got infected when someone at CityRail plugged them in to see if there was 'anything good' stored.

Re:CityRail = CityFail (4, Insightful)

The Mister Purple (2525152) | more than 2 years ago | (#38296338)

That hadn't occurred to me. I wonder if the study included a security audit of the CityRail computers?

Re:CityRail = CityFail (2)

Teun (17872) | more than 2 years ago | (#38296496)

In that case they would all have carried the same virus.

Re:CityRail = CityFail (1)

Yvan256 (722131) | more than 2 years ago | (#38296716)

Not if they were plugged into different computers. As Mister Purple said above, a security audit of the CityRail computers should have been done first. And as Icebike said above, I'm also wondering about the legal ramifications for the CityRail about selling things which includes private information.

Most turned in? (0)

Anonymous Coward | more than 2 years ago | (#38296164)

How is it that they know that most lost USB sticks are turned into the lost and found? I find that to be highly unlikely.

Very nice of the Rail Corporation to auction them? (2)

sirdude (578412) | more than 2 years ago | (#38296166)

So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value [sophos.com] ring a few alarm bells?

Re:Very nice of the Rail Corporation to auction th (4, Insightful)

icebike (68054) | more than 2 years ago | (#38296342)

My thoughts exactly.

None of these (256 meg to 8 Gig) were so valuable that their destruction would have been considered a huge waste, and the potential damage to the forgetful owner could be massive. You would think that the LEAST they could do was format them, which itself is far from fool proof. But releasing them intact just seems dumb, even if not illegal.

he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

Re:Very nice of the Rail Corporation to auction th (2)

geekoid (135745) | more than 2 years ago | (#38296530)

No. IT's normal SOP. It's not there responsibility to correct everyone else's mistakes. You lose a USB stick and don't claim it? TFB.

The fact they sell it for more the retail just says idiots are buying it.

FAT (0)

slackware 3.6 (2524328) | more than 2 years ago | (#38296176)

Let me guess all of them were formatted in FAT and were owned by idiots. All of mine are EXT 2 and never touch a computer that has a FAT fs. Plus I never lose my USB sticks and if I did they would only have pictures or occasionally a Live distro of some variety. 50 of anything is not a good test base and people that ride trains are a small demographic.

Re:FAT (0)

Anonymous Coward | more than 2 years ago | (#38296240)

Ext2 is so yesterday!

Re:FAT (0)

mlts (1038732) | more than 2 years ago | (#38296484)

Formatted in FAT is one thing. However there is just no excuse for not encrypting a USB flash drive. On Windows, BitLocker is a right click away. If one doesn't have an edition with BDE, then TrueCrypt is an easy install. Linux, there is TrueCrypt, LUKS, or loopback encryption. Macs have TrueCrypt and other items.

The reason I like using BitLocker or TrueCrypt for encrypting Windows data on a USB flash drive is that if someone finds the drive, can't access it, so formats it, the format.exe command in Windows explicitly will overwrite the sectors containing BitLocker key data, and also will overwrite the volume header in TrueCrypt (not by explicit design, but as part of putting the new filesystem in place.) This way, even if someone gets the password or key later on, the data is gone, barring someone bypassing the disk controller and going cell-by-cell around the wear levelling algorithm.

Re:FAT (1)

SuricouRaven (1897204) | more than 2 years ago | (#38296724)

There is one very good excuse. Portability. That's what USB sticks are used for. You want to be able to take your stick and use it on your desktop, your laptop, your work (/school) computers where you don't have admin access, your friends' computers, and so on regardless of what OS. And right away, not after first installing additional software. None of those solutions solve this problem.

Re:FAT (2)

Vegemeister (1259976) | more than 2 years ago | (#38296788)

Can an arbitrary Windows machine read an ext2 volume? Can an arbitrary Linux machine mount a BitLocker volume? Can you install Truecrypt and mount containers on arbitrary Windows and Linux machines without root privileges? Thought not.

Re:FAT (1)

mlts (1038732) | more than 2 years ago | (#38296888)

There is not much that works cross platform. If I were moving data between completely different platforms, I'd use something standard that would work on a file basis, rather than a filesystem or disk basis basis. The answer to this is gpg. Most platforms have a working gpg ported to them, be it Android, Solaris, AIX, Windows, Linux, BSD, or even iOS (both jailbroken and non jailbroken apps). I'd just encrypt a file using a passphrase and call it done. If it were a bunch of files, create a bit of chaff of a random size, tar that up, gpg the tar file and copy that to the drive.

So, with this in mind, TrueCrypt or BitLocker do the job well enough. Oftentimes, I'm just moving data from a Windows box to a Windows box, or from a Mac to a Mac. These cases, Disk Image or BitLocker is good enough.

Two-Thirds of FOUND USB Drives Carry Malware (0)

Anonymous Coward | more than 2 years ago | (#38296190)

Perhaps the title should read

Where's the respect for privacy? (0)

Mr0bvious (968303) | more than 2 years ago | (#38296228)

These USB flash drives should be destroyed, not auctioned off to the highest bidder.

Considering that these devices probably contain personal information, I just don't understand how anyone can think it's right to hand them over to anyone for analysis.

Do we do the same for personal diaries? Peoples wallets? I certainly hope not.

Personally I think it's disgusting that they are not being treated with the respect that they should be.

Of course I understand that a lot of these we probably not 'lost' but planted for nefarious reasons, but still, some will be legitimately lost personal items that could contains a wealth of personal information!

Sounds like a good thing to lose (-1)

Anonymous Coward | more than 2 years ago | (#38296278)

Good Riddance

Scammers (0)

Anonymous Coward | more than 2 years ago | (#38296288)

A huge amount of "lost" USB drives with no vital information but lots of spyware? Maybe some lucky rider will find one and stick it in their laptop.

Maybe that's exactly what someone wanted them to do.

Summary... (4, Insightful)

Chelloveck (14643) | more than 2 years ago | (#38296344)

Anti-virus vendor says there's yet another way to get a virus, and you need their product even more. Film at eleven.

hello, good samaritan (1)

Thud457 (234763) | more than 2 years ago | (#38296410)

Hey, you found my virus collection! I've been looking for that.
Don't worry about returning the thumbdrive, I'll just download a copy of your computer.

Two-thirds of drives were on a Windows computer (1)

Teun (17872) | more than 2 years ago | (#38296414)

One clear outcome of this investigation is that 2/3 of these USB drives were inserted into Windows computers.

Because it's generally accepted more than 66% of computers run on an MS OS we can guestimate how many of them are infected.

How to safely use a USB drive? (1)

Anonymous Coward | more than 2 years ago | (#38296500)

What are the best practices for accepting and retrieving files from a USB drive someone gives you?

(assuming I trust the author of the files)

1) turn off autoplay on your system
2) plug it in
3) scan the mounted drive with antivirus software
4) drag and drop the select data files

Aside from having up to date antivirus, windows patches. and app patches, are ther any other good security steps specifically related to USB drives / portable drives?

Re:How to safely use a USB drive? (1)

SuricouRaven (1897204) | more than 2 years ago | (#38296752)

At my workplace,

1) Give it to either my boss, who has a Mac at his desk, or a coworker with a Ubuntu desktop. Failing that, boot a spare laptop off my my ubuntu boot-stick and use that.

Bad sample data (0)

Anonymous Coward | more than 2 years ago | (#38296512)

We already know that a common attack method is to leave an infected USB stick in the parking lot of the company you're going after. There's no reason it won't work equally well on the public by dropping them in public transportation.

There are two conclusion possible (1)

drolli (522659) | more than 2 years ago | (#38296616)

a) either a lot of pseudo-security researchers jumped on the 'lets loose USB sticks on the train' train

b) being careless enough to loose a usb stick is correlated with being careless enough not to encrypt it and both are correlated to be careless enough not to run your virus checker very often.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?