William Jackson | That's one way to create demand for a solution
Cybereye | Commentary: A security company should find better way to promote its service than by sending out key drives loaded with malicious code
- By William Jackson
- Jul 23, 2007
Senforce Technologies announced last month a new version of its Endpoint Security Suite that includes encryption and controls for removable storage devices such as USB thumb drives. It's no secret that these small, fast, high-capacity drives can be risks, but Senforce has come up with a new trick to drum up a market for the suite.
Shortly before the product announcement, I received in the mail a bright new USB drive from Senforce. Being a sucker for free stuff, I eagerly examined the drive and even read the material. I learned Senforce had thoughtfully loaded the device with malware.
'Once the thumbdrive is inserted into your computer's USB port, the following harmless, yet very insightful experiment will begin,' I was advised:
- The program on the thumb drive will execute once your operating system recognizes the device.
- The program will immediately identify and download the contents of your My Documents folder to the thumb drive.
- You will not receive any notification or warning that your documents have been identified and downloaded.
Nothing to worry about, I was assured. 'No harm will be caused to your data or your computer.' But, I was warned, 'it will be your responsibility to monitor or destroy the thumbdrive once it is in your possession.'
Thanks a lot, guys.
The publicity scheme is to raise awareness of a trick called 'thumbsucking,' a cute name coined by Senforce to describe the process of using a U3-enabled device ' which can carry your software and data ' to trick a computer into downloading data. A U3 drive does this by mapping to two-letter drives when inserted into a computer, one of the drives masquerading as a CD drive. When the computer sees this 'CD' it uses the AutoRun feature to launch the US3 LaunchPad on the thumb drive. If the thumb drive happens to have a thumbsucking tool loaded on it ' and Senforce includes detailed instructions for creating your own tool' data is automatically and secretly downloaded to the device's second drive. There is no word yet if this technique is actually being used in the wild, but depending on the size of the Senforce mailing list, I doubt that it will be long before it is.
I was sorely tempted by their offer. The device is an unbreakable 2G titanium drive with a handy lanyard. An accompanying letter egged me on by saying, 'With the included drive, you are now capable of thumbsucking any of your unsuspecting colleagues! Naturally we don't suggest it.' Wink, wink.
And if I had no playful or malicious inclinations, I should 'feel free after testing to erase the script, and just use the drive as you would any other.'
No, thanks. I just don't feel like taking the risk. At least not on my computer. And certainly not on a friend's computer. How do I know that the experiment is harmless or what else is going on in the background? How do I know it will let me erase the script? I suppose I have Senforce's word for it, and it doubtless is an honorable company. After all, they were honest enough to tell me about the software in the first place.
Maybe I'm being too sensitive about this, but it just seems wrong for a security company to ship out hardware loaded with malicious code. Even to entirely respectable persons like me. Still, it could be an effective tool for creating a demand for an anti-thumbsucking tool, and I have to admit that I'm a little curious. So, take a look at the picture at the top of this column, and if you see someone who looks like that sidling up to your computer with a thumbdrive in his hand '
William Jackson is freelance writer and the author of the CyberEye blog.