Tales from the Certified Hacker: How about a free USB drive? No, thanks!

22 Sep 2016

Beware of USB drives

Victorian Police have reported on 21 September 2016 that criminals have been dropping USB drives into letterboxes in Pakenham, Victoria.  With a bulk cost at a little over 50 cents for a 128Mb USB drive, it would be a good ransomware investment for a cyber criminal.

Past surveys have shown that around 50% of system administrators will insert ‘found’ USB drives into corporate systems, and these are those who've had security training.  Users are even more susceptible to doing this so it becomes a very easy means of tricking them into installing malware.  The USB key is a perfect Trojan Horse.  This was the method believed to have been used to install the Stuxnet virus into the Iranian nuclear plant back in 2010.  The Stuxnet virus is still out in the wild today.

This blog is written to warn users NOT to check the contents of an unknown USB or any other devices on their desktop or laptop computer.  If you are required to check a USB drive which a customer may have asked you to copy or print data from, ensure  it is thoroughly tested/scanned in a ‘sheepdip’ computer.  A sheepdip computer is a computer or a virtual machine which can be reverted without saving any changes after a scan of a USB/hard drive/CD-ROM, and has no connection to the corporate network.  If any ‘nasties’ exist on the USB drive, do NOT clean it, but give it back to the customer and warn them of the existence of malware on the device.

References:

Are you protected by a Certified Ethical Hacker?

Terry Griffin

Want to learn more about how to protect your IT information and privacy?  Attend the EC-Council Certified Ethical Hacker course at DDLS