Dropping the ball in IT security
- By Karen Epper Hoffman
- Sep 08, 2016
If you saw a quarter lying on the ground, would you pick it up? How about a dollar? Now, how about a seemingly brand-new USB flash drive?
If you’re tempted by the prospect of free and handy digital storage, you’re not alone. But if you pick up this apparently innocuous freebie, you may well be compromising your organization’s cybersecurity.
So-called “USB drop attacks” have been perpetrated by black-hat hackers for more than a decade as a means of slyly gaining access to a network or distributing malware. The scam works like this: Bad actors leave what appear to be new and unused flash drives lying on the ground or on a table where they know people will find them. Some USBs are even mailed to their intended targets. People curious to see what’s on the drive plug it into their computers, and the damage is done. It’s reportedly the means by which the United States and Israel were able to infect Iran’s nuclear facilities with the Stuxnet virus. It’s old trick, but apparently still an effective one.
“It’s human nature to want something for free,” said John Kindervag, vice president and principal analyst for Forrester. “There used to be a day when I would give away speeches and reports on a flash drive. But not anymore.”
Case in point: A group of researchers from the University of Illinois Urbana-Champaign, the University of Michigan and Google decided to drop almost 300 USB thumb drives around six spots on the University of Illinois Urbana-Champaign campus, according to Elie Bursztein, Google’s antifraud and abuse research team lead. Each of the thumb drives was loaded with an HTML file containing an embedded image that was hosted on the researchers’ server. Anyone who accessed that image could be tracked by the researchers.
Of those 297 USB sticks, 290 of them (or 98 percent) were picked up and “135 phoned home, which means that in 45 percent of cases, users plugged in and clicked one of the files contained in the drive,” Bursztein said. (There’s no way to know how many more drives were plugged in to computing devices, where users did not click on a file or had no internet access, he added.) It took less than six minutes for the first thumb drive to ‘phone home.’
“I was surprised by how effective [this experiment] was,” Bursztein said. “Having at least 45 percent of the people plugging in and clicking on the files was way more than we anticipated.” Another interesting facet of the test, Bursztein pointed out, was that adding an “enticing label to the key like ‘confidential’ didn’t improve the opening rate. My hypothesis was it would have increased the opening rate.”
And despite cybersecurity awareness training and high-profile attacks making headlines daily, results like these are not uncommon. In a similar experiment last fall, IT industry association CompTIA scattered 200 thumb drives on the ground in high-traffic locations around Chicago, Cleveland, San Francisco and Washington, D.C. Close to 20 percent of these drives were picked up and plugged in. Users opened files, clicked on web links and sent messages to emails addresses listed in the documents.
“Curiosity is a strong motivator,” Bursztein said. “USB attacks are effective [because] people are intrigued by what is inside, the same way you’d want to know what is in a gift box. People don’t realize the dangers of picking them up off the ground. They see this find as their ‘lucky day event’ rather than an attack.”
That curiosity comes at a cost. Kindervag pointed out that there are a number of ways such drop attacks can be used to infiltrate systems or compromise users, generally through malware that could access botnets, inject keystrokes or exploit zero-day vulnerabilities.
Security expert Bruce Schneier said he “hates these studies… They blame the user for the problems in the system. If you put a grenade on the ground, someone might try and pick that up” and misuse it too. Since this issue plays to common human error, Schneier said he believes a better long-term solution would be to build better security into thumb drives themselves.
In the short term, Bursztein said he thinks “the safest approach is to forbid the use of external USB devices, and some organizations already do this. This can be implemented at multiple levels, by physically blocking the ports and using a policy to restrict the USB devices.”
Karen Epper Hoffman is a freelance writer based in the Seattle area.