Posted on 04/11/2016 2:26:42 PM PDT by markomalley
A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs.
Researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan, spread 297 USB drives around the Urbana-Champaign campus. They found that 48 percent of the drives were picked up and plugged into a computer, some within minutes of being dropped.
"The security community has long held the belief that users can be socially engineered into picking up and plugging in seemingly lost USB flash drives they find," the researchers reported this month.
"Unfortunately, whether driven by altruistic motives or human curiosity, the user unknowingly opens their organization to an internal attack when they connect the drive – a physical Trojan horse."
The study dropped USB sticks containing HTML files that had img tags embedded; opening the files fetched the image from a remote server, allowing the researchers to track the USB drives' use and rough location. It's obviously not a perfect means to detect usage, but close enough. And, yes, we're talking about people – students and staff – who hang around a uni campus.
The drives were usually picked up within hours of being left in the lot, with one being opened just six minutes after being dropped off. Overall, 48 per cent of the drives were picked up and plugged into a PC.
Additionally, the study found that just 16 per cent of users bothered to scan the drives with anti-virus software before loading the files; 68 per cent of the respondents said they took no precautions whatsoever before plugging in the drives.
The users said that, for the most part, they were acting in good faith. 68 per cent of the users said they were only accessing the drive in order to find its owner, though a "handful" of respondents said they were planning to keep the USB drive for themselves.
This led the researchers to believe that an attacker would have no problem spreading malware in an organization by simply dropping an infected USB drive in a public place.
"We hope that by bringing these details to light, we remind the security community that some of the simplest attacks remain realistic threats," the researchers said.
"There is still much work needed to understand the dynamics of social engineering, develop technical defenses, and learn how to effectively teach users how to protect themselves." ®
What could go wrong?
That’s like snacking on the discarded french fries left on the fast food table next to you. Ewwww!!!
Well duh. It’s like saying you have to program people to pick up money. I don’t think so! The researchers don’t know how many drives were viewed without a broswer, either.
I’ve heard of one company doing classified work that scattered USB drives in its parking lot. Any employee who plugged one into a company computer was fired on the spot.
The users said that, for the most part, they were acting in good faith. 68 per cent of the users said they were only accessing the drive in order to find its owner, though a “handful” of respondents said they were planning to keep the USB drive for themselves.
____________________________________________
Baloney. They were all looking for that free porm.
Woo Hoo.
*They found some all right. Under age porn. Now the FBI wants a word with them.
That sounds like a good test.
Sounds like a relatively painless way to make staff reductions for the next crop of H1B’s.
Except citizenship is required to work in such a facility. No H1-Bs.
We have a couple of dedicated computers at work that do only two things. Scan for bad stuff and list the files on the drive. That way, you not only keep any bad stuff from getting into a company computer, by looking at the list of files, you stand a good chance of finding the owner of the lost drive.
I’ve done it many times.
I never see any lying around
My son did have his 200 dollar plus Bose headphones fall out the FJ door recently
It was 10pm or so and we drove back 8 miles to a near empty lot and there they were right where they fell out in perfect shape
We got lucky
Well, people love finding free stuff... Especially if it’s someone elses personal private stuff.
Apparently that includes free virus’s.
Of course, firing on the spot wouldn't be an option since the employee would have to be kept on just long enough to train the H1B.
If I find a 64 GB USB drive, you damn right I’ll plug it in.
If I cant ID the owner, finder’s keepers!
My PC doesn’t run anything off of one automatically, and I’m not going to click on .exe, .bat, or HTML files as a matter of years old habit.
I plug in found flash drives, but I do it at a public library computer. I look for identifying information and have found owners two out of three times. “Your flash drive is at the desk in the ____ library.”
Put one in my own computer? No way!
A brand new 64GB USB3.0 flash drive will cost you less than twenty bucks.
Millennials at a university, no wonder they have such a high rate of STD infections.
I've read about cases where these devices have been hacked to identify themselves as USB keyboards, and then they start sending keystrokes automatically when they're plugged in.
Of course they are! Hoping to find some home-made pron!
Unless you know a good document counterfeiter. If you are useful to the ruling class, they will even appoint one for you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.