

US Govt. plant USB sticks in security study, 60% of subjects take the bait - Auguste
http://thenextweb.com/industry/2011/06/28/us-govt-plant-usb-sticks-in-security-study-60-of-subjects-take-the-bait/

======
dspillett
A similar study was done in a busy town center some time ago. Tens of USB
drives were left around the town over a couple of days as if they had been
dropped or forgotten. Each contained a (Windows only) auto-run program that
called home, a couple of password protected document files (containing
gibberish) so the drives looked like they'd actually been used, and a text
file called "if found please return to.txt" or similar with an email address
and a note asking that this address be contacted if the stick were found lost.

I forget the exact numbers and can't find a link to the report at the moment
but a fair proportion of them, at least once over the next couple of weeks,
ended up getting plugged into a Windows machine on a network that let the
call-home happen. At least one of them seemingly got plugged into a machine at
a bank branch (presumably they inferred the machine was at a bank from the
address the call home request came from) which is somewhat worrying: bank
machines that may have access to sensitive information not being locked down
at all so the drive could be plugged in and used, the program could run, and
the program could access the internet without restriction from that location.
A couple of the drives were seen by the server they called home to multiple
times, implying that some fools were using the drives as their own without
removing any existing information from them. Very few people contacted the
email address, so presumably most of the drives that got to phone home once
were swiped, wiped, and claimed by their finder (human nature, don't you just
love it).

Obviously there is no saying what happened to the ones that didn't call home -
they were either not found, found and handed in somewhere where they still
languish, found and binned, not plugged into a machine configured to allowed
the autorun and call-home to happen, or so on.

I considered grabbing a bunch of cheap flash drives and repeating the
experiment myself in my home town but never actually bothered, mainly because
it would mean spending beer money on drives I'd never see again!

------
ColinWright
See also: <http://news.ycombinator.com/item?id=2704831>

(Yes, I've set each to point at the other. Neither has comments yet, same
story, different sources, although this submission seems just to be
summarising and commenting on that one.)

------
amalag
60% plugged them in, don't you need autorun or need to execute something to
make it effective?

Otherwise couldn't you plug it in, look at the directory and format it and not
be exploited?

------
jackvalentine
Surely you'd disable the USB ports on computers that are connected to a
"clean" network if you thought this was an issue.

