How many people remember the name of a short movie that is supposed to fight software piracy back in 1992 called “Don’t copy that floppy”? For the ones that do, the bad music, rhymes and situations have probably scarred us for life. Interestingly, there is a new message that one can take away from this video. It is not about the violations surrounding copyright infringement, but more of the risk associated with using our latest incarnation of Sneaker-Net 2.0: the USB thumb drive.
We have all paid attention to the news in regards to the risks with USB thumb drives allowing the employees walk out with information, and there are tools and tricks for mitigating those risks. But the one that we have yet to resolve are the USB storage devices that come from the manufacturers with live and active malware ready to infect your core. Don’t believe me? Well, hopefully you have heard about the recent issue with Hewlett Packard sending their customer base infected USB thumb drives. No, these were not the promotional marketing schwag, these were intended for use with their line of servers. ComputerWorld said, “A security analyst with the SANS Institute’s Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. ‘I think it’s naive to assume that these are not targeted attacks,’ …” Doesn’t this sound like the implantation of the malware was an intentional act?
What about those pesky picture frames that showed up at Best Buy stores preconfigured to infect your machines. Fortunately, Best Buy owned up to the problem and recalled the picture frames, but not without gaining a bit of bad press for being reluctant about doing so. Now, stepping back for a minute; how many other incidents have we had where a USB device has been discovered out of the box and primed for infection? I’m counting news releases and articles that extend back almost a year by now. It’s interesting that these are finding their way onto and into the mass consumer’s hands and equipment for both residential and business.
So, jumping back to the message that “Don’t copy that floppy” was originally trying to convey, there’s a new risk for users if they want to copy anything these days. Those fresh, new and mint condition USB enabled devices are going to backdoor your system even if they do come from a trusted source. Or, alternatively, if you find one lying on the side of the road, in the company parking lot, or the bathroom there may be a bigger scheme at hand. What about all those USB giveaways that you get at conferences or in the mail? Yup, they’re not immune to being contaminated as well, and it will be particularly ironic when an antivirus company hands you a USB device that’s infected! But enough about the drives, what about those other devices that have storage on them like our phones, printers, and Ethernet devices. How long is it going to be until you buy your brand new, top of the line trendy phone to only have it be the deliverer of a new Trojan right into your machine?
There’s just a small part of the problem: vendors not doing a good QA check of the products before they leave the door. But what can be done for the consumer in all of this? Obviously, you should not trust the device because it’s new and still shrink wrapped. When configuring the device with your workstation format it first and it should be preferably low-level format if you know how. Finally, if you come across a device that is infected out of the box, write about it! Be a fellow netizen and alert us to your concerns and findings if you stumble across one of these devices.
Some additional resources:
Don’t Copy that Floppy : http://en.wikipedia.org/wiki/Don’t_Copy_That_Floppy
HP admits to selling infected flash floppy drives : http://www.computerworld.com.au/index.php/id;314715708
Best Buy sold infected digital picture frames : http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058638
Best Buy recalled infected picture frames : http://www.securityfocus.com/brief/670
Social Engineering, the USB Way : http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
Hackers debut malware loaded USB ruse : http://www.theregister.co.uk/2007/04/25/usb_malware/