Lost USB Sticks: Bad News

December 7, 2011

I’ve written here on several occasions about the security risks associated with mobile devices, from the basic risk of loss or theft to their vulnerability to more sophisticated attacks like the Evil Housekeeper.  One of the basic security precautions I and many others have recommended is encryption of the devices’ disks or other storage media.  But I’ve also said that a sensible security policy should not depend on the average user being a competent systems or security administrator: (s)he isn’t, and there is not much chance of that changing.

A new article at IT World provides some more rather melancholy evidence to support this view.  In an auction of lost property held by the Rail Corporation of New South Wales, in Australia, the anti-virus firm Sophos acquired three bags of USB sticks (thumb drives) that had been lost by rail commuters in the Sydney area.  Sophos analyzed the data on 50 working  USB devices, and the results were not encouraging.

An analysis of USB memory sticks lost on trains in Sydney revealed that two thirds of them were infected with one or more strains of malware and none was secured with an encryption solution.

According to Sophos, the analysis was performed on 50 USB sticks that ranged from 256MB to 8GB in size and revealed that 33, or 66%, of them were infected, some with multiple types of malware.

The 33 infected devices contained a total of 62 infected files, representing various forms of common Windows malware.  No malware for OS X was found, although metadata on nine of the devices indicated they had been used on Mac OS X machines; seven of the nine contained Windows malware.

The data on the USB devices was, for the most part, the sort of stuff you would expect to see.

There were no visible plans for nuclear submarines, no insider trading tips, no credit card dumps, no criminal plots, and no US State Department cables dating back to the 1970s.

As Sophos noted in their report, they used a mostly automated analysis, and did not dig into the data to the extent a forensic investigator or malicious hacker might.  But they still found 4,443 individual files, some containing potentially sensitive data, such as:

  • Lists of tax deductions.
  • Minutes of an activists’ meeting.
  • School and University assignments.
  • AutoCAD drawings of work projects.
  • Photo albums of family and friends.
  • A CV and job application.
  • Software and web source code.

Many of the devices also contained enough information to identify the owner, family members, and friends.

One might argue that the people who lost these devices are, since they did lose them, more careless than average; and there may well be some truth in that.  Nonetheless, I think it is striking that none of the devices or files was encrypted; the high incidence of malware is also disturbing.  In case we needed it, this is another reminder that security is not just a technical problem.

%d bloggers like this: