If you saw a 50cent coin lying on the ground, would you pick it up? How about a dollar? Now, how about a seemingly brand-new USB flash drive?
I know most Zimbabweans want freebies, but trust me with tech these days, nothing is for free and the intent may be more devastating than the seemingly pretty little gift bag you have just received. What if i want to know your trade secrets, harvest data statistics or maybe more ambitious, want to leak those intelligence files and become the Zimbabwean Snowden.
It could simply be easier with use of latest technology, unfortunately most of our highly qualified IT experts in Zimbabwe, have no knowledge about these techniques , neither are they trained to combat latest technological threats or trends,
Here is a very interesting read from GCN.com, on latest USB drop attacks which are now prevalent , world wide.
If you’re tempted by the prospect of free and handy digital storage, you’re not alone. But if you pick up this apparently innocuous freebie, you may well be compromising your organization’s cybersecurity.
So-called “USB drop attacks” have been perpetrated by black-hat hackers for more than a decade as a means of slyly gaining access to a network or distributing malware. The scam works like this: Bad actors leave what appear to be new and unused flash drives lying on the ground or on a table where they know people will find them.
Some USBs are even mailed to their intended targets. People curious to see what’s on the drive plug it into their computers, and the damage is done. It’s reportedly the means by which the United States and Israel were able to infect Iran’s nuclear facilities with the Stuxnet virus. It’s old trick, but apparently still an effective one.
Case in point: A group of researchers from the University of Illinois Urbana-Champaign, the University of Michigan and Google decided to drop almost 300 USB thumb drives around six spots on the University of Illinois Urbana-Champaign campus, according to Elie Bursztein, Google’s antifraud and abuse research team lead. Each of the thumb drives was loaded with an HTML file containing an embedded image that was hosted on the researchers’ server. Anyone who accessed that image could be tracked by the researchers.
Of those 297 USB sticks, 290 of them (or 98 percent) were picked up and “135 phoned home, which means that in 45 percent of cases, users plugged in and clicked one of the files contained in the drive,” Bursztein said. (There’s no way to know how many more drives were plugged in to computing devices, where users did not click on a file or had no internet access, he added.) It took less than six minutes for the first thumb drive to ‘phone home.’
“I was surprised by how effective [this experiment] was,” Bursztein said. “Having at least 45 percent of the people plugging in and clicking on the files was way more than we anticipated.” Another interesting facet of the test, Bursztein pointed out, was that adding an “enticing label to the key like ‘confidential’ didn’t improve the opening rate. My hypothesis was it would have increased the opening rate.”
And despite cybersecurity awareness training and high-profile attacks making headlines daily, results like these are not uncommon. In a similar experiment last fall, IT industry association CompTIA scattered 200 thumb drives on the ground in high-traffic locations around Chicago, Cleveland, San Francisco and Washington, D.C. Close to 20 percent of these drives were picked up and plugged in. Users opened files, clicked on web links and sent messages to emails addresses listed in the documents.
That curiosity comes at a cost. Kindervag pointed out that there are a number of ways such drop attacks can be used to infiltrate systems or compromise users, generally through malware that could access botnets, inject keystrokes or exploit zero-day vulnerabilities.
Security expert Bruce Schneier said he “hates these studies… They blame the user for the problems in the system. If you put a grenade on the ground, someone might try and pick that up” and misuse it too. Since this issue plays to common human error, Schneier said he believes a better long-term solution would be to build better security into thumb drives themselves.
In the short term, Bursztein said he thinks “the safest approach is to forbid the use of external USB devices, and some organizations already do this. This can be implemented at multiple levels, by physically blocking the ports and using a policy to restrict the USB devices.”