Dropping the ball in IT security

Dropping the ball in IT security

If you saw a quarter lying on the ground, would you pick it up? How about a dollar? Now, how about a seemingly brand-new USB flash drive?

If you’re tempted by the prospect of free and handy digital storage, you’re not alone. But if you pick up this apparently innocuous freebie, you may well be compromising your organization’s cybersecurity.

So-called “USB drop attacks” have been perpetrated by black-hat hackers for more than a decade as a means of slyly gaining access to a network or distributing malware. The scam works like this: Bad actors leave what appear to be new and unused flash drives lying on the ground or on a table where they know people will find them. Some USBs are even mailed to their intended targets. People curious to see what’s on the drive plug it into their computers, and the damage is done. It’s reportedly the means by which the United States and Israel were able to infect Iran’s nuclear facilities with the Stuxnet virus. It’s old trick, but apparently still an effective one. 

“It’s human nature to want something for free,” said John Kindervag, vice president and principal analyst for Forrester. “There used to be a day when I would give away speeches and reports on a flash drive. But not anymore.”

Case in point: A group of researchers from the University of Illinois Urbana-Champaign, the University of Michigan and Google decided to drop almost 300 USB thumb drives around six spots on the University of Illinois Urbana-Champaign campus, according to Elie Bursztein, Google’s antifraud and abuse research team lead. Each of the thumb drives was loaded with an HTML file containing an embedded image that was hosted on the researchers’ server. Anyone who accessed that image could be tracked by the researchers.

Of those 297 USB sticks, 290 of them (or 98 percent) were picked up and “135 phoned home, which means that in 45 percent of cases, users plugged in and clicked one of the files contained in the drive,” Bursztein said. (There’s no way to know how many more drives were plugged in to computing devices, where users did not click on a file or had no internet access, he added.) It took less than six minutes for the first thumb drive to ‘phone home.’

“I was surprised by how effective [this experiment] was,” Bursztein said. “Having at least 45 percent of the people plugging in and clicking on the files was way more than we anticipated.” Another interesting facet of the test, Bursztein pointed out, was that adding an “enticing label to the key like ‘confidential’ didn’t improve the opening rate. My hypothesis was it would have increased the opening rate.”

And despite cybersecurity awareness training and high-profile attacks making headlines daily, results like these are not uncommon. In a similar experiment last fall, IT industry association CompTIA scattered 200 thumb drives on the ground in high-traffic locations around Chicago, Cleveland, San Francisco and Washington, D.C. Close to 20 percent of these drives were picked up and plugged in. Users opened files, clicked on web links and sent messages to emails addresses listed in the documents.

“Curiosity is a strong motivator,” Bursztein said. “USB attacks are effective [because] people are intrigued by what is inside, the same way you’d want to know what is in a gift box. People don’t realize the dangers of picking them up off the ground. They see this find as their ‘lucky day event’ rather than an attack.”

That curiosity comes at a cost. Kindervag pointed out that there are a number of ways such drop attacks can be used to infiltrate systems or compromise users, generally through malware that could access botnets, inject keystrokes or exploit zero-day vulnerabilities.

Security expert Bruce Schneier said he “hates these studies… They blame the user for the problems in the system. If you put a grenade on the ground, someone might try and pick that up” and misuse it too. Since this issue plays to common human error, Schneier said he believes a better long-term solution would be to build better security into thumb drives themselves.

In the short term, Bursztein said he thinks “the safest approach is to forbid the use of external USB devices, and some organizations already do this. This can be implemented at multiple levels, by physically blocking the ports and using a policy to restrict the USB devices.”

About the Author

Karen Epper Hoffman is a freelance writer based in the Seattle area.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Fri, Sep 9, 2016 Mark Goldfain

Interesting article. This experiment shows quite succinctly what is wrong with computer security today. People are being victimized, in part, by the cooperation of their computer's operating system with the hacker's agenda. I would bet that none of those victims specifically decided to send the "phone home". However, their computer's operating system decided to do it without their knowledge or consent. Are O/S designers ever going to build the operating system correctly, so it does not betray the user in this way?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above