September 30, 2016
We’ve all encountered this at some point; you’re walking down the street, or sit down at your local coffee shop, and find a USB stick. Maybe it has a label on it that reads “Financial Records”, “HR Data” or “Personal”, and it piques your curiosity. So you plug it in to your computer. At that point the damage could already be done.
In the popular TV show Mr. Robot, two USB stick attacks were demonstrated, one involving someone scattering USB Sticks containing malware in a parking lot, and another where a USB stick was inserted into a computer for a few seconds and it stole all the passwords for the users on the computer. These attacks are not fantasy; these attacks are real and occur daily.
In a recent study it was found that 60% of USB sticks left out in public are picked up and plugged into a computer, and the documents read. How did the researchers know they were plugged in? Because the documents on the USB stick, or the USB stick itself, had code built into them to call back to the researcher to let them know someone had attempted to access the contents of the stick. While this is not malicious, it is quite easy for criminals to make USB sticks and the documents on them contain malicious content. These would allow attackers to steal your credentials, install key loggers, create backdoors on your computer, or access your personal information.
If you do find a USB stick:
- DO NOT plug it in
- If you are on campus, hand it in to the IT Help Desk in the Library
- If you are in a business like a coffee shop, give it to an employee
Written by: Brendan Hohenadel (Cyber Forensics Analyst, Information Security)